On Tue, Jul 27, 2010 at 11:11 PM, Ananda Samaddar <ananda@samaddar.co.uk> wrote:
This is really encouraging Denis, could you possibly update your Wiki article with a status report?
http://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman
Or maybe someone could summarise what the situation is now so us impatient folk can surmise how close we are to seeing gpg signing in Pacman. Denis have you also considering the hash function that is used when signing? It seems that sha256 is considered the best to use at the moment. That is until sha-3 is finalised in 2012.
Well, the current status is very the following: the gpg branch from Allan's repository is quite advanced and only some finishing touches are needed. My patches are supposed to be those touches, I hope. But there will be lots of discussions before they can be merged. For example, now we are discussing the pacman-key management tool. We all want a high level of quality, so every possible detail will be raised and the best solution will come out. I just wouldn't hold my breath for anything yet. About the hash functions, it depends on the type of key used for the signature, mainly. There are usually DSA or RSA keys, which don't use SHA-1 anymore, according to Wikipedia. In fact, what gpg uses, we'll use too. Still according to wikipedia [1], it is very hard to break a OpenPGP encryption (it doesn't talk about signatures though, but I presume it is similar). It shouldn't be a concern. [1] http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Security_quality -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------