On 10/21/21 18:12, Justus Winter wrote:
> First, I think replacing RPM's point solution with a general purpose
> implementation will improve correctness.  Robust signature verification
> requires canonicalization of the issuing certificate, which is tricky
> [0], [1], [2].

Wait, those links don't say why canonicalization is required. What's
the attack vector? Do you have other pointers?

> Further, RPM shouldn't be burdened with maintaining
> their own point solution, which will require constant maintenance to
> keep up with evolving standards and algorithms.

I somewhat agree except that PGP moves really really slowly. It takes
ages till some new algorithm goes in. See EdDSA as an example.

> Second, Rust has been criticized for being not too portable [3].  While
> there is some truth to that, at least today, there is ongoing work to
> add a GCC backend to the Rust compiler [4], and to write a Rust frontend
> for GCC [5].

But doesn't that mean that we need to wait till this work is done?

Cheers,
  Michael.

-- 
Michael Schroeder          SUSE Software Solutions Germany GmbH
m...@suse.de      GF: Felix Imendoerffer HRB 36809, AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Reply via email to