[Open-collaboration-services] [REQUEST] Extend API to support gpg signature
Frederik Gladhorn
gladhorn at kde.org
Tue Jul 27 09:27:52 CEST 2010
On Monday 26 July 2010 22:54:29 Frank Karlitschek wrote:
> On 26.07.2010, at 22:10, Frederik Gladhorn wrote:
> > Sounds pretty good to me. Signatures are about 200 byte if I'm not
> > mistaken. I would almost favor to inline them in the content/get
> > request, so we don't need to make a separate call. Any reason not to?
>
> I agree. It´s funny, we discussed adding a similar signature field 3 weeks
> ago at Akademy and it is already in the OCS 1.6 draft
> http://www.freedesktop.org/wiki/Specifications/open-collaboration-services
> -draft
>
>
> What do you think? Is this what you need?
Funny, it must have slipped my mind, or I missed that part of the discussion
(Akademy was total communications overload ;)).
Anyway, the stuff currently in the spec is a gpg fingerprint, what would one do
with that? I don't get it. Should the package itself be signed then with this
key?
Diego's gpg-aa signing approach allows verification where the download comes
from, even if the server has been compromised. But only on the assumption that
the user has the key/is part of the web of trust ...
Do we want/need both?
Cheers
Frederik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://mail.kde.org/pipermail/open-collaboration-services/attachments/20100727/f86391ce/attachment.sig
More information about the Open-collaboration-services
mailing list