FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 03-30-2011, 11:06 PM
Rémy Oudompheng
 
Default make gpgme optional

The package signing Wiki page says we could make gpgme optional for
pacman. The two following (very small patches) define another callback
for package signing. It allows to make gpgme optional while preserving
signature check capabilities, via an external callback.

How such a callback could be defined remains to be decided in pacman
code or pacman.conf syntax.

--
Rémy.
 
Old 04-10-2011, 11:37 AM
Rémy Oudompheng
 
Default Make gpgme optional

These patches (partially already submitted before) make linking with
gpgme optional, and also implement a configuration option for
pacman to use an external tool for signature checking.
The given example is "gpg --verify - $filename", but "/bin/true"
could be used to totally bypass checking.

To apply on branch 'master', after the previously posted patch set.

Rémy Oudompheng (4):
handle: define a new callback for signature check
signing: make gpgme optional and default to user callback
pacman: add a configuration key for signature checking command
pacman: implement signature check callback using an external command

configure.ac | 19 ++++++++++-
etc/pacman.conf.in | 1 +
lib/libalpm/alpm.h | 12 +++++++
lib/libalpm/error.c | 2 +
lib/libalpm/handle.c | 13 ++++++++
lib/libalpm/handle.h | 1 +
lib/libalpm/signing.c | 33 +++++++++++++++++++--
lib/libalpm/signing.h | 2 +-
lib/libalpm/sync.c | 6 ++-
src/pacman/callback.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++++
src/pacman/callback.h | 3 ++
src/pacman/conf.h | 1 +
src/pacman/pacman.c | 4 ++
13 files changed, 167 insertions(+), 8 deletions(-)

--
1.7.4.4
 
Old 04-11-2011, 07:01 PM
Dan McGee
 
Default Make gpgme optional

On Sun, Apr 10, 2011 at 6:37 AM, Rémy Oudompheng
<remyoudompheng@gmail.com> wrote:
> These patches (partially already submitted before) make linking with
> gpgme optional, and also implement a configuration option for
> pacman to use an external tool for signature checking.
> The given example is "gpg --verify - $filename", but "/bin/true"
> could be used to totally bypass checking.

You totally misread my TODO item, sorry, and I never intended someone
else to do this one but put it on the list in trying to be open about
things. :/

I meant nothing about letting an external tool validate signatures; as
a matter of fact I am highly against this. I only wanted gpgme and
signature checking to be an option that could be omitted when
compiling, for instance if someone decided to use this to manage
custom packages elsewhere with no intent of sharing publicly, or
another OS where gpg is not so readily available.

So I will take a look at the first half, but the second half will not
be going anywhere.

-Dan
 
Old 04-11-2011, 07:17 PM
Rémy Oudompheng
 
Default Make gpgme optional

On 2011/4/11 Dan McGee <dpmcgee@gmail.com> wrote:
> On Sun, Apr 10, 2011 at 6:37 AM, Rémy Oudompheng
> <remyoudompheng@gmail.com> wrote:
>> These patches (partially already submitted before) make linking with
>> gpgme optional, and also implement a configuration option for
>> pacman to use an external tool for signature checking.
>> The given example is "gpg --verify - $filename", but "/bin/true"
>> could be used to totally bypass checking.
>
> You totally misread my TODO item, sorry, and I never intended someone
> else to do this one but put it on the list in trying to be open about
> things. :/
>
> I meant nothing about letting an external tool validate signatures; as
> a matter of fact I am highly against this. I only wanted gpgme and
> signature checking to be an option that could be omitted when
> compiling, for instance if someone decided to use this to manage
> custom packages elsewhere with no intent of sharing publicly, or
> another OS where gpg is not so readily available.

Gah I read "like we do with our download code" which looked exactly
like I thought. However, I may understand that you don't want to merge
this, even if I found the idea interesting.

--
Rémy.
 

Thread Tools




All times are GMT. The time now is 09:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org