[WineHQ] service.cgi fixes

Chris Morgan cmorgan at alum.wpi.edu
Fri Jun 11 09:28:34 CDT 2004

We don't have a good way of distributing and managing the gpg keys, there is 
no script control over that part of winrash.  If there was an automated and 
secure way of keeping the trusted signatures up to date I wouldn't mind 
turning it back on.  It just has to be something that can be maintained 
without manual intervention with gpg.  I'm also not really sure how the whole 
gpg signature thing works.  Right now we bundle a config file for gpg that 
trusts your signature.  Can we have that managed by the service so it happens 
automatically or does that implicitly violate the trust as we are getting the 
signature from the service initially?


On Friday 11 June 2004 9:49 am, Paul Millar wrote:
> Hash: SHA1
> Hi Dimi,
> Why remove the verification of the code's gpg signature?  It seems to
> break a basic security maxim: don't trust the network.
> On Thursday 10 June 2004 22:48, Dimitrie O. Paun wrote:
> > ChangeLog
> >     Do not include irrelevant stuff in the _history.
> >     Do not instruct the client to verify the .sig,
> >     it's a b0rken idea anyway.
> - --
> Paul Millar
> Version: GnuPG v1.2.4 (GNU/Linux)
> iD8DBQFAybhq/9JwS78PA+kRAuv/AJ9Ulntb1MLGn+2gp8r/qpy6VqJDVACePwVB
> VXxAHr9gaBuMhIJ7P81ahMA=
> =0tkh

More information about the wine-devel mailing list