Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove GPG signature support #3277

Merged
merged 1 commit into from
Mar 21, 2023
Merged

Remove GPG signature support #3277

merged 1 commit into from
Mar 21, 2023

Conversation

rbtcollins
Copy link
Contributor

This is a breaking change: the gpg config settings, variables, and
related cli commands are all removed.

Fixes: #3250 by removing our GPG support.

  • the foundation's new security engineer Walter Pearce is working on a
    new system, not based around GPG, for validation of distributions
  • we don't rely on the signatures today - these warnings are not errors
    by default
  • sustained ignored, unfixable signature errors will teach folk to
    ignore them, which is harmful to everyone
  • we could do streaming unpacking (with some changes) if we trust the
    transport rather than the current monolithic signature validation,
    which could improve performance

Downloads still have a checksum which is verified.

@rbtcollins
Remove GPG signature support
5716902 
This is a breaking change: the gpg config settings, variables, and
related cli commands are all removed.

Fixes: rust-lang#3250 by removing our GPG support.

- the foundation's new security engineer Walter Pearce is working on a
  new system, not based around GPG, for validation of distributions
- we don't rely on the signatures today - these warnings are not errors
  by default
- sustained ignored, unfixable signature errors will teach folk to
  ignore them, which is harmful to everyone
- we could do streaming unpacking (with some changes) if we trust the
  transport rather than the current monolithic signature validation,
  which could improve performance

Downloads still have a checksum which is verified.
hi-rustin
hi-rustin approved these changes Mar 21, 2023
View reviewed changes
Copy link
Member

@hi-rustin hi-rustin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Looks good to me.

Cargo.toml Show resolved Hide resolved
@hi-rustin hi-rustin mentioned this pull request Mar 21, 2023
Closed
@rbtcollins rbtcollins merged commit 2a7ea00 into rust-lang:master Mar 21, 2023
@hi-rustin hi-rustin mentioned this pull request Mar 22, 2023
Merged
@bjorn3 bjorn3 mentioned this pull request Mar 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hi-rustin hi-rustin hi-rustin approved these changes

@pietroalbini pietroalbini Awaiting requested review from pietroalbini

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

incorrectly reported signature validation failure (Rust 1.8.0 to Rust 1.21.0, some nightlies)
2 participants
@rbtcollins @hi-rustin