Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove GPG signature support #3277

Merged
merged 1 commit into from
Mar 21, 2023
Merged

Conversation

rbtcollins
Copy link
Contributor

This is a breaking change: the gpg config settings, variables, and
related cli commands are all removed.

Fixes: #3250 by removing our GPG support.

  • the foundation's new security engineer Walter Pearce is working on a
    new system, not based around GPG, for validation of distributions
  • we don't rely on the signatures today - these warnings are not errors
    by default
  • sustained ignored, unfixable signature errors will teach folk to
    ignore them, which is harmful to everyone
  • we could do streaming unpacking (with some changes) if we trust the
    transport rather than the current monolithic signature validation,
    which could improve performance

Downloads still have a checksum which is verified.

This is a breaking change: the gpg config settings, variables, and
related cli commands are all removed.

Fixes: rust-lang#3250 by removing our GPG support.

- the foundation's new security engineer Walter Pearce is working on a
  new system, not based around GPG, for validation of distributions
- we don't rely on the signatures today - these warnings are not errors
  by default
- sustained ignored, unfixable signature errors will teach folk to
  ignore them, which is harmful to everyone
- we could do streaming unpacking (with some changes) if we trust the
  transport rather than the current monolithic signature validation,
  which could improve performance

Downloads still have a checksum which is verified.
Copy link
Member

@Rustin170506 Rustin170506 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Looks good to me.

Cargo.toml Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

incorrectly reported signature validation failure (Rust 1.8.0 to Rust 1.21.0, some nightlies)
2 participants