This is the mail archive of the cygwin-apps@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: unofficial packages


----- Original Message -----
From: "David A. Cobb" <superbiskit@cox.net>
To: "Robert Collins" <robert.collins@syncretize.net>

> >>Hmmm...so *setup* would have to know who maintains what, as far as
> >>official packages go.  Now, this can't be compiled-into the executable;
> >>it has to be distributed from the mirrors.  Are you thinking encryption?
> >>  'cause that's pointless -- the decryption key has to be bound into
> >>setup.exe; thus, available from setup's sources.
> >>
> >>
> >
> >No, I'm think it's part of the setup.bz2 file.
> >
>
> IIRC, /encryption/ requires to know the _recipient's_ public key.  OTOH,
> /signing/ the info with a known key requires only to know the _sender's_
> public key.

Well, the keys are symmetric. I can encrypt something with either my private
key or your public key. If it's encrypted with my private key, anyone with
my public key can decrypt it, and be confident that I had encrypted it (aka
signed it). If it's encrypted with your public key, only you can decrypt it.

The important points here are:
* we need one keypair per maintainer (or else someone has to take
responsbility to sign packages, which is what we are trying to
decentralize).
* the list of 'official' maintainers public keys would be distributed in
some easy fashion, probably as you suggested in your other email as a
keychain in a package with all the keys signed by someone 'trusted'.

> >Give every official maintainer an @cygwin.com address, and those
addresses
> >point straight into cygwin@cygwin.com for maintainers that object to
private
> >mail.
> >
> >
> And this would make the info in the keyring suitable for public
> consumption - nothing sensitive in that.
>
> The only 'gotcha' is, if I have a "superbiskit@cygwin.com" address - as
> I already have one at "@users.sourceforge.net" it would probably just
> relay mail to my normal inbox.  Anybody ill-willed who gets it can be
> just as much a PITA as if he knew my "real" address.

?? "and those addresses point straight into cygwin@cygwin.com for
maintainers that object to private mail.". How does that equate to relaying
to your normal mailbox?

Rob


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]