[Rpm-maint] [rpm-software-management/rpm] Cannot import a GPG key with signatures (#1306)
Demi Marie Obenour
notifications at github.com
Sat Dec 26 04:31:10 UTC 2020
> > > Yes, this is a known - or not so well known - limitation. As the signature check is basically done by hand it lack a lot of feature one would expect of GPG proper.
> >
> >
> > Can we (as an option) use a third-party library, such as [rpgp](/rpgp/rpgp)?
>
> Rust is not acceptable due to its weak portability.
Writing a full PGP packet parser in C is too risky, IMO. GPG itself had a buffer overflow not too long ago. We can always detect at compile-time if the Rust library is available, and fall back to the built-in parser if it is not.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1306#issuecomment-751317064
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20201225/ae947d98/attachment.html>
More information about the Rpm-maint
mailing list