From: Alan W. I. <ir...@be...> - 2004-02-20 17:16:25
|
On 2004-02-20 08:00+0100 Rafael Laboissiere wrote: > [....]please, provide a dummy > GPG key number to the upload-cvs-tarball.sh script. The one that appears > currently in http://plplot.sourceforge.net/cvs-tarball/ is mine, but that is > wrong. This is also valid for the other developpers that do not sign the > uploaded tarball. Note, there was no detached signature so the practical consequences were nil, but nevertheless I agree it would be better not to have your key id associated with the no signature case, and in fact I wouldn't allow the no signature case (see below). Here is the solution to this problem that I would recommend. Rafael, please change your script to test the exit status of the gpg signing attempt and only proceed with the upload if the gpg signing succeeded. As I have reason to know, that key signing fails and no signature file is produced if the key does not belong to you. That script change will solve your concern that your key id will inappropriately be put on the website and will also force everybody who wants to use the convenience of the script to provide a correct key id number that belongs to them. That encouragement is worthwhile because the resulting detached signature provides a convenient check for the user that there haven't been any transmission errors. Also, there is some security benefit from generating an electronic signature that is unique to the combination of the individual that signed the tarball and the exact bit pattern of the tarball. Alan __________________________ Alan W. Irwin email: ir...@be... phone: 250-727-2902 Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the PLplot scientific plotting software package (plplot.org), the Yorick front-end to PLplot (yplot.sf.net), the Loads of Linux Links project (loll.sf.net), and the Linux Brochure Project (lbproject.sf.net). __________________________ Linux-powered Science __________________________ |