Subject: Re: adding gpg to src/gnu/dist
To: None <tech-userlevel@NetBSD.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 05/12/2004 21:02:32
On Thu, May 13, 2004 at 02:50:41AM +0200, Hubert Feyrer wrote:
> On Wed, 12 May 2004, Simon J. Gerraty wrote:
> > Why does it need to be gpg or even gpg like? You can use
> > and openssl command line to generate a sig (though its lame that
> > you have to extract the pubkey from a cert).
>
> Maybe because we understand gpg (pgp) now, plus are building up a web of
> trust for it.
"Building up a web of trust" is not all that useful when what users want
is to verify, for instance, that release binaries (or, in most contexts I
can think of, package binaries) came from an entity vouched for by The
NetBSD Foundation. That's the classic hierarchical trust model; it is the
classic application for certificate-based signatures, which OpenSSL does
just fine.
I am appalled by many things about GPG, not least of which are its size,
its extensive dependencies (which include Perl), and its horrendous user
interface which betrays an utter lack of understanding of the key role
that usability plays in the actual secure use of security software. When
we already have a program in the base system that can do the job that it
is being proposed that we use GPG for, and, even better, that program is
merely a command-line interface to a library which could easily be directly
linked into the appropriate system/package tools, I am very, very strongly
opposed to importing GPG into the base system for this purpose.
I'm adding tech-security to the carbon list, as that's the appropriate place
to discuss security issues IMHO, not on tech-userlevel; this discussion
probably overlaps both areas, but it has a clear security component.