[WineHQ] service.cgi fixes
cmorgan at alum.wpi.edu
Fri Jun 11 09:28:34 CDT 2004
We don't have a good way of distributing and managing the gpg keys, there is
no script control over that part of winrash. If there was an automated and
secure way of keeping the trusted signatures up to date I wouldn't mind
turning it back on. It just has to be something that can be maintained
without manual intervention with gpg. I'm also not really sure how the whole
gpg signature thing works. Right now we bundle a config file for gpg that
trusts your signature. Can we have that managed by the service so it happens
automatically or does that implicitly violate the trust as we are getting the
signature from the service initially?
On Friday 11 June 2004 9:49 am, Paul Millar wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi Dimi,
> Why remove the verification of the code's gpg signature? It seems to
> break a basic security maxim: don't trust the network.
> On Thursday 10 June 2004 22:48, Dimitrie O. Paun wrote:
> > ChangeLog
> > Do not include irrelevant stuff in the _history.
> > Do not instruct the client to verify the .sig,
> > it's a b0rken idea anyway.
> - --
> Paul Millar
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> -----END PGP SIGNATURE-----
More information about the wine-devel