[Rpm-maint] [rpm-software-management/rpm] Cannot import a GPG key with signatures (#1306)
Neal Gompa (ニール・ゴンパ)
notifications at github.com
Sat Dec 26 08:42:26 UTC 2020
> > > > Yes, this is a known - or not so well known - limitation. As the signature check is basically done by hand it lack a lot of feature one would expect of GPG proper.
> > >
> > >
> > > Can we (as an option) use a third-party library, such as [rpgp](/rpgp/rpgp)?
> >
> >
> > Rust is not acceptable due to its weak portability.
>
> Writing a full PGP packet parser in C is too risky, IMO. GPG itself had a buffer overflow not too long ago. We can always detect at compile-time if the Rust library is available, and fall back to the built-in parser if it is not.
The issue is that RPM has to work on _everything_. RPM is used on Linux, Windows (!!!), OS/2 (!!!!!), AIX, IRIX, macOS, and so on. Several of these platforms cannot use Rust or will never get Rust ports.
> That said, there are C libraries that we can use instead, such as the one used by Thunderbird.
I think good C libraries for GPG would actually be really helpful, since we could use it throughout the RPM package management stack then. Relying on GnuPG causes major issues, especially in containers and offline provisioning cases.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1306#issuecomment-751335604
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20201226/51a7e580/attachment-0001.html>
More information about the Rpm-maint
mailing list