Subject: Re: [ CVS commit: basesrc/usr.sbin/pkg_install/add]
To: Charles M. Hannum <>
From: Hubert Feyrer <>
List: tech-pkg
Date: 10/04/2001 00:57:09
On 3 Oct 2001, Charles M. Hannum wrote:
> > I wonder if it was possible to make the signature part of the +-files, and
> > if present do the sigature checking?  Just like what we do for +MESSAGE
> > files etc.
> That would require some Magick, since the tar file itself would change,
> and you have to be careful about exactly *what* you're checking the
> signature of.  I suppose it might be amusing to always have it be the
> first file -- i.e. be prefixed to the existing tar file -- and checksum
> the decompressed image instead.

Indeed. An alternative would be to checksum each single file, as we do
right now using MD5 hashes. I don't know PGP enough to tell if that's
possible, or good in general. (Someone might still add a bad binary at the
end, unsigned. Then again we could require IF signing is on, it'd be on
for ALL files). Just some random thoughts...

 - Hubert

Want to get a clue on IPv6 but don't know where to start? Try this:
* Basics ->
* Setup  -> 
Of course with your #1 IPv6 ready operating system ->