[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r17417: {updater} explain a bit better about why GPG signature checking in tha (updater/trunk/specs)
Author: nickm
Date: 2008-11-30 01:49:10 -0500 (Sun, 30 Nov 2008)
New Revision: 17417
Modified:
updater/trunk/specs/thandy-spec.txt
Log:
explain a bit better about why GPG signature checking in thandy is not going to happen.
Modified: updater/trunk/specs/thandy-spec.txt
===================================================================
--- updater/trunk/specs/thandy-spec.txt 2008-11-30 06:37:05 UTC (rev 17416)
+++ updater/trunk/specs/thandy-spec.txt 2008-11-30 06:49:10 UTC (rev 17417)
@@ -739,7 +739,10 @@
R.2. Integration with existing GPG signatures
- The OpenPGP signature and key format is so complicated that you'd
- have to be mad to touch it.
+ The OpenPGP signature and key format is so complicated that you'd have
+ to be mad to try to read it yourself. (Check out RFC2440 for
+ information about how bad it is in theory; in practice, it's worse.)
+ Therefore, if we wanted to check OpenPGP signatures, we would
+ basically have to bundle GPG.