[pacman-dev] New patchset for package signing

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Tue Jul 27 23:24:03 EDT 2010


On Tue, Jul 27, 2010 at 11:11 PM, Ananda Samaddar <ananda at samaddar.co.uk> wrote:
> This is really encouraging Denis, could you possibly update your Wiki
> article with a status report?
>
> http://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman
>
> Or maybe someone could summarise what the situation is now so us
> impatient folk can surmise how close we are to seeing gpg signing in
> Pacman.  Denis have you also considering the hash function that is used
> when signing?  It seems that sha256 is considered the best to use at
> the moment.  That is until sha-3 is finalised in 2012.

Well, the current status is very the following: the gpg branch from
Allan's repository is quite advanced and only some finishing touches
are needed. My patches are supposed to be those touches, I hope. But
there will be lots of discussions before they can be merged. For
example, now we are discussing the pacman-key management tool. We all
want a high level of quality, so every possible detail will be raised
and the best solution will come out. I just wouldn't hold my breath
for anything yet.

About the hash functions, it depends on the type of key used for the
signature, mainly. There are usually DSA or RSA keys, which don't use
SHA-1 anymore, according to Wikipedia. In fact, what gpg uses, we'll
use too. Still according to wikipedia [1], it is very hard to break a
OpenPGP encryption (it doesn't talk about signatures though, but I
presume it is similar). It shouldn't be a concern.

[1] http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Security_quality

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
-------------------------------------------


More information about the pacman-dev mailing list