On 10/21/21 18:12, Justus Winter wrote: > First, I think replacing RPM's point solution with a general purpose > implementation will improve correctness. Robust signature verification > requires canonicalization of the issuing certificate, which is tricky > [0], [1], [2].
Wait, those links don't say why canonicalization is required. What's the attack vector? Do you have other pointers? > Further, RPM shouldn't be burdened with maintaining > their own point solution, which will require constant maintenance to > keep up with evolving standards and algorithms. I somewhat agree except that PGP moves really really slowly. It takes ages till some new algorithm goes in. See EdDSA as an example. > Second, Rust has been criticized for being not too portable [3]. While > there is some truth to that, at least today, there is ongoing work to > add a GCC backend to the Rust compiler [4], and to write a Rust frontend > for GCC [5]. But doesn't that mean that we need to wait till this work is done? Cheers, Michael. -- Michael Schroeder SUSE Software Solutions Germany GmbH m...@suse.de GF: Felix Imendoerffer HRB 36809, AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} _______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint