On 5/26/11 5:56 PM, Evan Phoenix wrote: > I apologize for the top posting, but the comment applies to the whole thing. > > Grant, one of the requirements for any signing strategy is that it can be > implemented all in ruby, specifically with things provided by the ruby > standard library. This by and large means OpenSSL. > > Could a PGP-style setup be fully implemented in ruby and hosted entirely by > us (not require an pgp keyservers)? >
My philosophy was to dump as much of the real crypto to the existing infrastructure as possible, so we don't need to worry about bone-headed crypto mistakes in our code. But I see where you're coming from. The proof-of-concept code I have right now just shells out to gpg with backticks and degrades gracefully if there's no gpg. There's no verification, but you can still install the gem, and run rubygems without any external dependencies. If the ruby standard library can deal with the public key signing (RSA and DSA) and hash functions (SHA series, and possibly MD5, RIPEMD160) it would be possible to write a full ruby implemenatation that can process OpenPGP files, but that's a lot of work, and prone to errors. For the second part of the question, I'm not sure if you're asking if we could run our own keyservers, or if we need to be able to verify packages with the network unplugged. The keyserver code is open source, you could run your own keyservers outside of the existing pools if you wanted to. If you wanted to be able to verify gems without network access, you could include official master signing keys (the public portion only) in the rubygem distribution, as I talk about in the last section. The gem maintainer could embed their full public key into the gem, including the signature from the master key, in addition to the package signatures. With this, you would have everything you need verify the package off-line. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war." _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems [email protected] http://rubyforge.org/mailman/listinfo/rubygems-developers
