Subject: Re: [firstname.lastname@example.org: CVS commit: basesrc/usr.sbin/pkg_install/add]
To: Charles M. Hannum <email@example.com>
From: Hubert Feyrer <firstname.lastname@example.org>
Date: 10/04/2001 00:57:09
On 3 Oct 2001, Charles M. Hannum wrote:
> > I wonder if it was possible to make the signature part of the +-files, and
> > if present do the sigature checking? Just like what we do for +MESSAGE
> > files etc.
> That would require some Magick, since the tar file itself would change,
> and you have to be careful about exactly *what* you're checking the
> signature of. I suppose it might be amusing to always have it be the
> first file -- i.e. be prefixed to the existing tar file -- and checksum
> the decompressed image instead.
Indeed. An alternative would be to checksum each single file, as we do
right now using MD5 hashes. I don't know PGP enough to tell if that's
possible, or good in general. (Someone might still add a bad binary at the
end, unsigned. Then again we could require IF signing is on, it'd be on
for ALL files). Just some random thoughts...
Want to get a clue on IPv6 but don't know where to start? Try this:
* Basics -> http://www.onlamp.com/pub/a/onlamp/2001/05/24/ipv6_tutorial.html
* Setup -> http://www.onlamp.com/pub/a/onlamp/2001/06/01/ipv6_tutorial.html
Of course with your #1 IPv6 ready operating system -> http://www.NetBSD.org/