Subject: Re: [email@example.com: CVS commit: basesrc/usr.sbin/pkg_install/add]
To: Alistair Crooks <firstname.lastname@example.org>
From: Charles M. Hannum <email@example.com>
Date: 10/03/2001 15:32:30
On Wed, 2001-10-03 at 09:50, Alistair Crooks wrote:
> On Tue, Oct 02, 2001 at 11:05:31PM -0700, Simon Gerraty wrote:
> > >At the moment, the ability to verify packages is limited to those
> > >which are not specified by URL. We are looking at removing this
> > >restriction.
> > Is this because the signatures are delivered separately? What about a
> > "pkg" that wraps the .tgz and its signature into one file? The
> > pkg_add of such a thing (.stgz or whatever) would involve unpacking
> > the .tgz and .sig, verifying the signature, and if ok carrying on with
> > the .tgz.
> The ability for a binary package to be installed using pax or tar is
> still a big win, as it can get you out of those delicate little "in
> extremis" situations. That's why we decided to detach the signature.
> But, yes, we're still looking at removing this restriction.
gzip and pax should both deal fine with having the signature tacked on
BTW, does it prompt you when there *isn't* a signature attached?