"Come to mind" doesn't sound line "that'd break our environment." ;)
> -To verify and then use a .tar.[bg]z2?, you must gpg --verify and then
> tar -x[jz]vf, but to unpack, then verify, then use you must uncompress
> to a tempfile or pipe to gpg, then verify, then untar. Silly waste of
> CPU and/or disk space.[*]
Veryfy and use are two action. You need a script or a human, changing
either one won't be hard.
> -Verifying downloads immediately, when they won't necessarily be needed /
> used right away; no need to unpack until it's needed, but would like to
> know the download is bad right away.
real-world?
> -Verifying something pulled down to one machine before scp'ing it elsewhere
> where it will actually be used.
real-world?
> -Verifying before [bg]unzip means you won't expose [bg]unzip to likely
> malicious data (think bugs in [bg]unzip which make them crash on bad
> compressed files). Of course GPG/PGP is still subject to input-based
> bugs, but they are in any case; no need for the decompression tools to
> be as well.
Crashes don't matter. Exploits would, so that point is actually valid.
> [*] ...Now if tar had a --sig option to chain gpg between gunzip and
> untar... but that would just be Wrong.
unzip && checksig && tar?
Jörn
-- More computing sins are committed in the name of efficiency (without necessarily achieving it) than for any other single reason - including blind stupidity. -- W. A. Wulf - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/