[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: PROPOSAL: GPG Signing of Releases

From: Ben Laurie <ben_at_algroup.co.uk>
Date: 2004-04-14 11:16:50 CEST

John Peacock wrote:
> Brian W. Fitzpatrick wrote:
>>> 1) Since the people presenting these arguments are comfortable with
>>> GPG/PGP and the web of trust. They assume other users will be. I think
>>> the whole web of trust thing is fundamentally confusing to end users in
>>> general. If you don't believe me go look for all the FAQs about it.
>>> It's not easy to explain, understand or use.
>> I agree with this, and will reiterate my response: KeyMan.
> This (is this what you were talking about?):
> http://keyman.aldigital.co.uk/
> is a little sketchy on the actual sequence of daily usage.
> How would a user wanting to check the signature of a release go about
> it?

They'd use KeyMan in much the same way as a developer would.

> Is KeyMan strictly a management tool on the developer-side to
> manage the individual keys, or would everyone who uses Subversion and
> wishes to check the signature need to download it as well.

Everyone who wanted to check the signature would need to download it.
The point being that it does what GPG doesn't do - checks the trust path(s).



http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Apr 14 14:22:07 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.