[Pkg-gnupg-maint] Bug#612462: Bug#612462: gnupg: Please provide a win32 port of gpgv
Thijs Kinkhorst
thijs at debian.org
Tue Feb 8 19:36:37 UTC 2011
Hi Didier,
On Tuesday 08 February 2011 17:06:37 Didier Raboud wrote:
> a current flaw of the standalone version of win32-loader (source and binary
> package in Debian) is that it downloads the d-i kernel and initrds through
> Internet without any form of checking that those are authenticated binaries
> from the Debian project (see #442180 for details).
>
> In order to solve this, the Windows executable needs to check the signature
> on the downloaded Release{,.gpg} file and then check the md5sums of
> various files. The md5sum checksum verification is already implemented
> (although not uploaded yet) with a md5sum implementation internal to NSIS.
> There are still missing pieces on FTP-Master side (see #611087, which will
> get solved in their upcoming meeting, I heard), but I would also need a
> gpgv.exe that could run on the target Windows host, to check the
> downloaded Release{,.gpg} files.
I'm not aversive to this plan but I do not completely understand it. You need
gpgv.exe on the Windows platform, but you cannot install debs there, right? So
what would the role of this deb be exactly?
Also I cannot test it. Would you assume responsibility for dealing with
potential bug reports for this?
Cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20110208/62286085/attachment.pgp>
More information about the Pkg-gnupg-maint
mailing list