[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: Please PGP-sign releases
From: Richard Yao <ryao () gentoo ! org>
Date: 2018-05-28 2:42:31
Message-ID: E9BB65D1-133C-4A5F-BC34-F6BA83B79481 () gentoo ! org
[Download RAW message or body]
> On May 24, 2018, at 9:54 AM, Eli Schwartz <eschwartz@archlinux.org> wrote:
>
> Currently busybox distributes the file
> https://busybox.net/downloads/busybox-1.28.4.tar.bz2.sign which is an
> armored plaintext file containing inline md5sums/sha1sums in a sea of
> text which cannot be easily parsed by e.g. distro packaging tooling.
> (FWIW, I'm a distro packager who would like to use signatures of the
> tarball itself.)
>
> It would be far more efficient IMHO to simply sign the release tarball
> itself, so it could be directly verified.
Having PGP signing would be nice. I like this idea.
>
> This would be as simple as replacing "signit" in
> https://git.busybox.net/busybox/tree/scripts/bb_release with `gpg
> --detach-sign`
>
> If there's any interest in providing checksums as well, this would best
> be provided with e.g. standard file.sha256 files containing *just* the
> output of the relevant coreutils checksumming command, which can be used
> directly as input to said command when verifying rather than first
> manually parsing the file contents.
>
> ...
>
> As a separate issue, the current signing key is dsa1024 which is
> extremely old and not considered to be secure. It would be in general a
> good idea to create a new rsa4096 key and use that going forward.
>
> --
> Eli Schwartz
> Bug Wrangler and Trusted User
>
> _______________________________________________
> busybox mailing list
> busybox@busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic