[Open-collaboration-services] [REQUEST] Extend API to support gpg signature
Frank Karlitschek
karlitschek at kde.org
Wed Jul 28 10:43:42 CEST 2010
On 27.07.2010, at 09:27, Frederik Gladhorn wrote:
> On Monday 26 July 2010 22:54:29 Frank Karlitschek wrote:
>> On 26.07.2010, at 22:10, Frederik Gladhorn wrote:
>>> Sounds pretty good to me. Signatures are about 200 byte if I'm not
>>> mistaken. I would almost favor to inline them in the content/get
>>> request, so we don't need to make a separate call. Any reason not to?
>>
>> I agree. It´s funny, we discussed adding a similar signature field 3 weeks
>> ago at Akademy and it is already in the OCS 1.6 draft
>> http://www.freedesktop.org/wiki/Specifications/open-collaboration-services
>> -draft
>>
>>
>> What do you think? Is this what you need?
>
> Funny, it must have slipped my mind, or I missed that part of the discussion
> (Akademy was total communications overload ;)).
> Anyway, the stuff currently in the spec is a gpg fingerprint, what would one do
> with that? I don't get it. Should the package itself be signed then with this
> key?
>
> Diego's gpg-aa signing approach allows verification where the download comes
> from, even if the server has been compromised. But only on the assumption that
> the user has the key/is part of the web of trust ...
>
> Do we want/need both?
>
> Cheers
> Frederik
Sorry. It seams that I´m not awake yet. :-) I don´t get it.
Which fields do we need and where?
Can you give me an example perhaps?
Thanks :-)
Cheers
Frank
>
>
> _______________________________________________
> Open-collaboration-services mailing list
> Open-collaboration-services at kde.org
> https://mail.kde.org/mailman/listinfo/open-collaboration-services
--
Frank Karlitschek
karlitschek at kde.org
More information about the Open-collaboration-services
mailing list