gpgv: timestamps, validity, expiration, and revocation
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon May 23 16:42:09 CEST 2016
On Tue 2016-05-03 23:48:52 -0700, Bernhard Reiter <bernhard at intevation.de> wrote:
> Am Freitag, 22. April 2016 20:34:41 schrieb Daniel Kahn Gillmor:
>> I'm particularly worried about this because i'm hoping that apt (and
>> other package managers) will move to using gpgv for verification --
>> there's no reason for a verification-only context (like verifying signed
>> package manifests) to need to bundle in all the complexity that goes
>> with secret key handling.
>
> I'm unsure about this, the extra burden of maintaining a verification
> only version may be higher than what you win by having it in some
> contexts. So a valid solution could be to just remove gpgv completly.
I really hope this doesn't happen. the API to gpgv is much simpler than
the API to gpg, and we should be encouraging the use and distribution of
simple tools that are harder to misuse, particularly for critical
functionality like package signatures.
> I guess you should file a report, just to be able to refer to and track the
> issue.
I've reopened:
https://bugs.gnupg.org/gnupg/issue1537
which seems to report the same issue, and which claims it was resolved
already :/
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20160523/3ca42e31/attachment.sig>
More information about the Gnupg-devel
mailing list