From: Daniel Veillard (Daniel.Veillard@w3.org)
Date: Mon Nov 06 2000 - 05:35:06 EST
On Sun, Nov 05, 2000 at 07:01:09PM +0100, Peter Hanecak wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
>
> finaly I managed to come back to my rpm2html experiments and I finished
> "resolving" of signatures: every PGP and GPG signature is verified using
> GnuPG and result is included in .html output. Primary goal was to actualy
> see info like "package GPG signed by Joe Redneck" in .html output.
sounds really good, but ...
> Notes:
>
> 1) you have to use:
>
> autoconf # to up-date configure
> ./configure --with-gpg # to create proper Makefile
>
> to have this work
>
> 2) current implementation requires librpmio
Got a trouble with this:
checking for gpg... /usr/bin/gpg
checking for Fopen in -lrpmio... (cached) no
configure: error: *** librpmio not found
http://rpmfind.net/linux/rpm2html/search.php?query=librpmio
Hum, this is provided only with rpm > 4.0. this is a problem
in the sense that I still use 3.05 on the rpmfind machines. Is there
any reasonable way to bypass this requirement. A lot of people
are still running rpm 3.0X and this sounds like a serious limitation
> 3)
> - - rpm2html-1.5-sig-resolve.patch is patch against (hopefuly) latest CVS
> snapshot (with basic signature processing alredy included)
> - - rpm2html-1.5-sig-4.patch is patch against "vanilla" rpm2html 1.5
rpm2html-1.5-sig-resolve.patch applied cleanly on my CVS version.
> 4) MD5 checksums are not verified because:
> a) PGP/GPG verification is there just because I did not found other way
> to extract key/signator information from signature itself other than
> actualy verifying it
> b) EVERY RPM package should have at least MD5 checksum signature so for
> BIG archives it makes BIG difference if rpm2html verifyies also MD5
> checksums
right,
> c) at the end, every user MUST or SHOULD check those signatures for
> themselves either after downloading packages so I consider it enought to
> just "dump" MD5 checksum into .html output.
well rpm itself checks the MD5 before opening the data part of a
package.
> But, if someone want to verify also MD5 signatures, it should not be very
> hartd to add (IMO). Anyone interested?
>
>
> So that's all for now.
I'm concerned a priori (I will see if I can run this) about forking and
exec'in gpg for evey signed packages. I'm afraid this may slow down the
indexing significantly for large databases. A cache will be needed and
one clean way to do it would be to store the informations in the SQL database
when this one is configured. I will look at it once I manage to run this
on the French mirror.
thanks for the patch, I will propagate it into CVS anyway.
Daniel
-- Daniel.Veillard@w3.org | W3C, INRIA Rhone-Alpes | libxml Gnome XML toolkit Tel : +33 476 615 257 | 655, avenue de l'Europe | http://xmlsoft.org/ Fax : +33 476 615 207 | 38330 Montbonnot FRANCE | Rpmfind search site http://www.w3.org/People/all#veillard%40w3.org | http://rpmfind.net/
This archive was generated by hypermail 2b29 : Thu May 10 2001 - 18:40:13 EDT