On Mon, Jan 3, 2022 at 11:55 AM Ed Merks <ed.me...@gmail.com> wrote: > Is there a bug here? I don't think we can expect the users to grant trust > on the basis of some hexadecimal numbers... >
Actually, they can grant trust based on those numbers because users should verify those signers are trusted, eg by checking whether the ids are matching some verified keys in some external PGP services. But indeed, the UI is still rough and still needs to be improved. Where/what is the best way for asking question and for discussing the > implementation details? I posted on platform-dev because the entire > platform is affected by these design decisions, but perhaps I should > restrict this to p2-dev or elsewhere? > Bugs against p2 are the best channel IMO. > I expect there is a concern about the size of many such the duplicates > keys, but with both jar and *.xz compression that isn't really so much a > problem. I.e., 1000 copies of the key has minimal impact on the size > compressed artifacts as seen here where the artifacts.xml has 1000 copies > of the key: > OK, I probably made a wrong estimation back then, and maybe adding the signer key to each artifact would be preferable. And even the > org.eclipse.equinox.p2.tests.engine.CertificateCheckerTest.testPGPSignedArtifactUntrustedKey() > test works that way... > Yes, this is supposed to work with key as artifact property. The metrics you shared seem to highlight it would be a better approach, so please open a bug to Platform/Releng so we can try to improve that.
_______________________________________________ platform-dev mailing list platform-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev
