Subject: Re: [email@example.com: CVS commit: basesrc/usr.sbin/pkg_install/add]
To: Charles M. Hannum <firstname.lastname@example.org>
From: Alistair Crooks <email@example.com>
Date: 10/03/2001 17:42:40
On Wed, Oct 03, 2001 at 03:32:30PM +0000, Charles M. Hannum wrote:
> On Wed, 2001-10-03 at 09:50, Alistair Crooks wrote:
> > On Tue, Oct 02, 2001 at 11:05:31PM -0700, Simon Gerraty wrote:
> > > >At the moment, the ability to verify packages is limited to those
> > > >which are not specified by URL. We are looking at removing this
> > > >restriction.
> > >
> > > Is this because the signatures are delivered separately? What about a
> > > "pkg" that wraps the .tgz and its signature into one file? The
> > > pkg_add of such a thing (.stgz or whatever) would involve unpacking
> > > the .tgz and .sig, verifying the signature, and if ok carrying on with
> > > the .tgz.
> > The ability for a binary package to be installed using pax or tar is
> > still a big win, as it can get you out of those delicate little "in
> > extremis" situations. That's why we decided to detach the signature.
> > But, yes, we're still looking at removing this restriction.
> gzip and pax should both deal fine with having the signature tacked on
> the end.
> BTW, does it prompt you when there *isn't* a signature attached?
If no signature is given, no. If a signature verification is requested
via the command line, yes, it will prompt.
Your point about tacking the signatures on the end is well-taken -
I think I should revisit Greg Woods PR about using pax instead of
GNU tar in pkg_add.