[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [platform-dev] PGP Signing Question?
|
Mickael,
Thanks.
More comments below.
On 03.01.2022 13:18, Mickael Istria
wrote:
Is there a bug here? I don't think we can expect the
users to grant trust on the basis of some hexadecimal
numbers...
Actually, they can grant trust based on those numbers
because users should verify those signers are trusted, eg by
checking whether the ids are matching some verified keys in
some external PGP services.
But indeed, the UI is still rough and still needs to be
improved.
I've opened
https://bugs.eclipse.org/bugs/show_bug.cgi?id=578024 to
track this issue. Minimally the help for the dialog should
describe how to find such external PGP services and in our case
specifically how to verify that this is an Eclipse project's key.
We can discuss the details there. I can try to help iron out the
wrinkles...
Where/what is the best way for asking question and for
discussing the implementation details? I posted on
platform-dev because the entire platform is affected by
these design decisions, but perhaps I should restrict this
to p2-dev or elsewhere?
Bugs against p2 are the best channel IMO.
So, for example, if I have the question "is it guaranteed that
two different org.bouncycastle.openpgp.PGPPublicKey instances
might have the same
org.bouncycastle.openpgp.PGPPublicKey.getKeyID() values" that
should be a p2 Bugzilla? I wouldn't ask that on platform-dev but
I would have thought to ask on p2-dev rather than open a question
Bugzilla. I see no reason to assume that the getKeyID values are
unique, though I suppose the chances of collisions are vanishingly
small (and downstream utility class seem to assume this).
I expect there is a concern about the size of many such
the duplicates keys, but with both jar and *.xz
compression that isn't really so much a problem. I.e.,
1000 copies of the key has minimal impact on the size
compressed artifacts as seen here where the artifacts.xml
has 1000 copies of the key:
OK, I probably made a wrong estimation back then, and
maybe adding the signer key to each artifact would be
preferable.
And even the
org.eclipse.equinox.p2.tests.engine.CertificateCheckerTest.testPGPSignedArtifactUntrustedKey()
test works that way...
Yes, this is supposed to work with key as artifact
property. The metrics you shared seem to highlight it would
be a better approach, so please open a bug to
Platform/Releng so we can try to improve that.
I've opened
https://bugs.eclipse.org/bugs/show_bug.cgi?id=578023 to
track this issue.
_______________________________________________
platform-dev mailing list
platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev