[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r17417: {updater} explain a bit better about why GPG signature checking in tha (updater/trunk/specs)



Author: nickm
Date: 2008-11-30 01:49:10 -0500 (Sun, 30 Nov 2008)
New Revision: 17417

Modified:
   updater/trunk/specs/thandy-spec.txt
Log:
explain a bit better about why GPG signature checking in thandy is not going to happen.

Modified: updater/trunk/specs/thandy-spec.txt
===================================================================
--- updater/trunk/specs/thandy-spec.txt	2008-11-30 06:37:05 UTC (rev 17416)
+++ updater/trunk/specs/thandy-spec.txt	2008-11-30 06:49:10 UTC (rev 17417)
@@ -739,7 +739,10 @@
 
 R.2. Integration with existing GPG signatures
 
-  The OpenPGP signature and key format is so complicated that you'd
-  have to be mad to touch it.
+  The OpenPGP signature and key format is so complicated that you'd have
+  to be mad to try to read it yourself.  (Check out RFC2440 for
+  information about how bad it is in theory; in practice, it's worse.)
+  Therefore, if we wanted to check OpenPGP signatures, we would
+  basically have to bundle GPG.