[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] netsync transport encryption?
From: |
Chad Walstrom |
Subject: |
Re: [Monotone-devel] netsync transport encryption? |
Date: |
Wed, 25 Oct 2006 15:42:02 -0500 |
Ulf Ochsenfahrt <address@hidden> wrote:
> I meant: monotone should drop it's proprietary message signing and
> use GPG instead. :D
I used to think that, but I have since abandoned this idea. Why? I
was convinced otherwise. If you check out the FAQ, you'll get your
answer as to why monotone uses its own
(http://venge.net/monotone/wiki/FAQ):
Why not use GNU diff format diffs with GPG signatures?
* Classical diffs don't do binary very well.
* GPG as a subprocess is slow, tricky and fragile; crypto++
in-process is fast, simple and reliable.
* Classical diffs may be whitespace-mangled, which invalidates
signatures, so you need to ascii-armor it anyways.
* OpenPGP packet format is quite baroque, we need much less thanit
can do.
* The web of trust is useful for verifying that the name on a key
matches the name on a passport. It isn't very useful for
verifying that the holder of a key should have commit access to
your project. We like to trust keys based on the quality of the
code they sign, not based on the name attached to them. (In
fact, every VCS we know of that does use OpenPGP keys doesn't
leverage the web of trust at all, but rather requires you to
explicitly upload each key you want to trust.)
* In the rare case where you do know that the person whose
passport says "Jane Doe" is a hotshot coder who should
definitely have commit access, you can always ask her to just
PGP-sign her email saying "my monotone key's fingerprint is
70a0f283898a18815a83df37c902e5f1492e9aa2".
* You likely don't want to use your real PGP key for developing
software in any case; most PGP keys should not, for instance, be
put on a laptop that might be stolen. Yet many people would like
to develop software while using their laptops.
--
Chad Walstrom <address@hidden> http://www.wookimus.net/
assert(expired(knowledge)); /* core dump */
- Re: [Monotone-devel] netsync transport encryption?, (continued)
- Re: [Monotone-devel] netsync transport encryption?, Richard Levitte - VMS Whacker, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, Cem Karan, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, Richard Levitte - VMS Whacker, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, Dirk Hillbrecht, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, Richard Levitte - VMS Whacker, 2006/10/25
- [Monotone-devel] Re: netsync transport encryption?, Bruce Stephens, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, Jeronimo Pellegrini, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, Ulf Ochsenfahrt, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, jp+mtn, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, Ulf Ochsenfahrt, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?,
Chad Walstrom <=
- Re: [Monotone-devel] netsync transport encryption?, Jeronimo Pellegrini, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, Jeronimo, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, Ulf Ochsenfahrt, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, Jeronimo, 2006/10/25
- Re: [Monotone-devel] netsync transport encryption?, Jeronimo Pellegrini, 2006/10/25