[Rpm-maint] [rpm-software-management/rpm] Fingerprint subpacket parsing support (#1728)
Justus Winter
notifications at github.com
Fri Feb 4 15:15:53 UTC 2022
> (ITYM = I Think You Mean?)
Yes.
> I would consider any software that generated inconsistent issuer information to be buggy,
If a key is known by two fingerprints, then this is not inconsistent, it is helpful. Your position is like saying a file with two (sym)links is a bug, or a person known under two different names is a bug.
> and supporting multiple lookup keys would be a significantly more complex patch.
Well, an implementation can chose or implement any policy, it just means that it will likely do poorly when encountering unexpected data.
Btw, since you seem to be working on the PGP implementation, I wrote a SOP frontend for RPM that I used to plug it into our test suite. Maybe that is helpful to you:
- https://github.com/teythoon/rpm/tree/justus/rpm-sop
- results from back then: https://tests.sequoia-pgp.org/rpmsop.html
- notably this test checks this exact issue, see the "fake issuer, issuer" vector of https://tests.sequoia-pgp.org/rpmsop.html#Detached_signature_with_Subpackets
> The draft RFC explicitly states “most conflicts are simply syntax errors”, and I decided to reject such malformed signatures.
Yeah, but then the next paragraph states that this particular case is only an apparent conflict.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1728#issuecomment-1030079982
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/1728/c1030079982 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220204/288b0279/attachment.html>
More information about the Rpm-maint
mailing list