Re: pkgsrc binary packages security with pkgin

To: Jan Danielsson <jan.m.danielsson%gmail.com@localhost>
Subject: Re: pkgsrc binary packages security with pkgin
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Fri, 31 Jan 2020 19:38:40 -0500

Jan Danielsson <jan.m.danielsson%gmail.com@localhost> writes:

>    - If you don't know if:
>      o the server storage can be trusted
>      o you can fully trust the link
>      o you can trust your local storage up until the point at which you
> install the package
>      .. then you need the binary package to be signed.

If you can't trust your local storage, you have no basis for getting
anything at all right.  Your local storage is where the public keys are
stored that you use to validate, where you store files in installed
packages, and where you store /usr//bin/login.  Seriously - if you can't
trust your local computer, it's all over.

Follow-Ups:
- Re: pkgsrc binary packages security with pkgin
  - From: Jan Danielsson
- Re: pkgsrc binary packages security with pkgin
  - From: yarl-baudig

References:
- Re: pkgsrc binary packages security with pkgin
  - From: yarl-baudig
- Re: pkgsrc binary packages security with pkgin
  - From: Jan Danielsson

Prev by Date: Re: pkgsrc binary packages security with pkgin
Next by Date: Re: pkgsrc binary packages security with pkgin
Previous by Thread: Re: pkgsrc binary packages security with pkgin
Next by Thread: Re: pkgsrc binary packages security with pkgin
Indexes:

Home | Main Index | Thread Index | Old Index