> That shouldn't matter, most of the times. If you want to build the
> code, you have to [bg]unzip anyway, so there is no extra cost.
> And I have a hard time to think of a real-world application where you
> don't want to unpack but need to verify the signature.
A few come to mind:
-To verify and then use a .tar.[bg]z2?, you must gpg --verify and then
tar -x[jz]vf, but to unpack, then verify, then use you must uncompress
to a tempfile or pipe to gpg, then verify, then untar. Silly waste of
CPU and/or disk space.[*]
-Verifying downloads immediately, when they won't necessarily be needed /
used right away; no need to unpack until it's needed, but would like to
know the download is bad right away.
-Verifying something pulled down to one machine before scp'ing it elsewhere
where it will actually be used.
-Verifying before [bg]unzip means you won't expose [bg]unzip to likely
malicious data (think bugs in [bg]unzip which make them crash on bad
compressed files). Of course GPG/PGP is still subject to input-based
bugs, but they are in any case; no need for the decompression tools to
be as well.
[*] ...Now if tar had a --sig option to chain gpg between gunzip and
untar... but that would just be Wrong.
-- Hank Leininger <hlein@progressive-comp.com> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/