[Rpm-maint] [rpm-software-management/rpm] Cannot import a GPG key with signatures (#1306)
Neal Gompa (ニール・ゴンパ)
notifications at github.com
Sat Dec 26 19:15:11 UTC 2020
> > > > > > > > Yes, this is a known - or not so well known - limitation. As the signature check is basically done by hand it lack a lot of feature one would expect of GPG proper.
> > > > > > >
> > > > > > >
> > > > > > > Can we (as an option) use a third-party library, such as [rpgp](/rpgp/rpgp)?
> > > > > >
> > > > > >
> > > > > > Rust is not acceptable due to its weak portability.
> > > > >
> > > > >
> > > > > Writing a full PGP packet parser in C is too risky, IMO. GPG itself had a buffer overflow not too long ago. We can always detect at compile-time if the Rust library is available, and fall back to the built-in parser if it is not.
> > > >
> > > >
> > > > The issue is that RPM has to work on _everything_. RPM is used on Linux, Windows (!!!), OS/2 (!!!!!), AIX, IRIX, macOS, and so on. Several of these platforms cannot use Rust or will never get Rust ports.
> > >
> > >
> > > I had not thought of that. Does LLVM support all of those platforms? If so, a `#[no_std]` build of rpgp (that is, one that doesn’t use the standard library) should work on them.
> >
> >
> > It does not. Most of them will likely never receive an LLVM port, because they're not considered important enough to receive it, and GCC already exists. This is one of the unfortunate downsides to Rust being an underspecified language that cannot support multiple conforming implementations.
>
> At the very least, we can use a Rust library on the platforms that support it (most of the important ones) and use our built-in implementation on the others. We should also consider dropping IRIX and probably OS/2 support, as both have been discontinued.
>
That probably provides no material benefit for us. IRIX, AIX, and other Unix-types are supported by community contributors. OS/2 support is maintained _mostly_ out of tree, but we don't need to make their lives considerably harder if we don't have to.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1306#issuecomment-751387145
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20201226/42062521/attachment-0001.html>
More information about the Rpm-maint
mailing list