> On 12/3/01 at 4:54 PM, Charles Steinkuehler <[EMAIL PROTECTED]> > wrote: > > > Hmm...looks like a new file format, smells like a new file format... > > Bah. Not really. The file "format" is all in the *.lrp package, and > the package contents remain the same. Just give it a new wrapper, > call it *.srp, and it works. Seems pretty good to me. > > However, you still need to create the wrapper - but then, you could > just save the file like always, then have a "stamp" or "sign" program > that would create the digital signature.
OK, I think we're closer than I previously thought on the issue of format. I have always felt the bulk of the package should be in a 'classic' gzipped tar file (this probably wasn't clear), but that some sort of extension is required to tack on additional meta-data (especially the crypto signature). I had thought you were arguing against anything that wasn't exactly a tar.gz file readable by the old LRP install scripts. > All of this assumes there IS something that will check or create the > signature - PGP is a Pretty Ghastly Pig in space terms, isn't it? Yeah, I think it's pretty big, plus I believe most of these packages require openssl and other huge add-ons to run. The basics of public-key cryptography, however, are pretty simple, so I think it'd be possible to make a small (a few K, perhaps) binary that would simply calculate and verify signatures, as long as there arn't too many various options to deal with (ie no cert chains, or fancy stuff, just plain-old crypto signing). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
