pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg-vulnerabilities



On Tue, Oct 03, 2006 at 04:41:22PM -0400, Steven M. Bellovin wrote:
> Compressed storage on the local machine is probably a bad idea, since it
> would need to be decompressed several times for each package built.  And
> it's probably pointless -- look at how big pkgsrc is, and ask if 200KB
> makes that much difference.

It's not about storage, but about the download itself.  I think providing a
bzip2'ed version would be a good idea.

Btw, you can rsync pkg-vulnerabilities...

> A digital signature would be a good idea -- verify it at download time.
> Using TLS would put a lot more load on ftp.netbsd.org, and wouldn't help
> at all if you were using a mirror.

Agreed; the file should be signed/secured, not the connection.

        Geert



Home | Main Index | Thread Index | Old Index