Aaron Bentley wrote:
John Arbash Meinel wrote:
Why not put both detached signatures into the checksum file?
It's not 'both', it's 'all', and in many cases, 'all' is 4 or more
files. That's a lot of times to enter your password for signing.
(gpg: --clearsign does not yet work with --multifile)
Aaron
Again, my feeling was to make it expandable, so that if someone wants to
turn on gpg signing, they know in advance that they should probably set
up a gpg-agent of some sort. Actually, since baz now requests 2
signatures on a commit, it motivated me to set up gpg-agent.
My statement was to let people be as paranoid as they want to be. If
they don't want an agent and want to sign 4 times, let them.
I wasn't advocating that it was the default. Probably the best default
would be sha + file-length, I personally would like to see sha-256. If
we want to do sha + md5 + file length by default, that's fine.
But I think adding support for allowing real signatures to be made,
rather than only signatures of hashes would be preferred.
Remember, doing a "tag" already requires 2 sigs, because it does a cacherev.
It is a shame that "--multifile" isn't supported.
John
=:->
signature.asc
Description: OpenPGP digital signature
_______________________________________________
Gnu-arch-users mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/gnu-arch-users
GNU arch home page:
http://savannah.gnu.org/projects/gnu-arch/
