-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin Vidner wrote:
| On Tue, Mar 11, 2008 at 11:31:25AM +0000, Benji Weber wrote:
|> Greetings All,
|>
|> I recently noticed that an Ubuntu specification ThirdPartyApt[0] very
|> similar to YMP[1].
|>
|> I have since contacted the specification authors - Jerome Haltom and
|> Scott Ritchie to enquire about the possibility of cooperating and
|> using the same file format. Both were been interested in this
|> possibility. Hopefully they will be subscribed to this list now.
|
| That is great!
Indeed :)
|> There is also the question of how to distribute the public key for a
|> debian repository. As I understand it debian repositories do not
|> normally contain the public key as in most openSUSE repositories[5].
|> The .apt format proposal has the public key included in the file. This
|> is one possibility, although in my opinion it would be better to have
|> it available in the repositories like openSUSE, this would allow other
|> mechanisms for adding the repository to locate the key as well. Bear
|> in mind that one of the requirements is to keep the file format as
|> simple as possible, the less information that is mandatory in the file
|> the better.
|
| <repository>
| ...
| <pubkey href="http://example.com/p.key"/>
| or
| <pubkey>
| -----BEGIN PGP PUBLIC KEY BLOCK-----
| Version: GnuPG v1.4.2.2 (GNU/Linux)
|
| mQGiBD/G9AgRBACZ519LX9cdoyJA+7gmWC+mUsiyPhnmMWu4uOg0M+vb/JPtDdfc
| ...
| </pubkey>
| or, if not specified, it defaults to the usual suse location, for
| backwards compatibility.
| </repository>
|
| Well, reagrding signing the YMPs themselves, we may have a clash
| between GPG and XML, I don't know how to resolve that.
Indeed. Even if the risk of collisions isn't as high when using a CDATA
section:
<repository>
~ ...
~ <pubkey><![CDATA[
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
mQGiBD/G9AgRBACZ519LX9cdoyJA+7gmWC+mUsiyPhnmMWu4uOg0M+vb/JPtDdfc
...
]]>
</pubkey>
But still. If the ASCII-armoured PGP public key token includes the
sequence "]]>" then it will break.
What would work is XML escaping the ASCII armoured block.
As that inline data is supposed to be processed by a tool that knows the
XML format, it can load the PGP public key token as a string (with DOM,
SAX, TrAX, whatever) and un-XML-escape before using it.
So even in the unlucky event where you'd have something that breaks XML
in the armoured PGP key (say, > or < or &...;):
<pubkey>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
aaa"<>bbb...
...
</pubkey>
It would look like this in the file, escaped for XML:
<pubkey>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
aaa"quot;<>bbb...
...
</pubkey>
cheers
- --
~ -o) Pascal Bleser http://linux01.gwdg.de/~pbleser/
~ /\\