Subject: Re: [email@example.com: CVS commit: basesrc/usr.sbin/pkg_install/add]
To: Hubert Feyrer <firstname.lastname@example.org>
From: Charles M. Hannum <email@example.com>
Date: 10/04/2001 12:58:41
On Wed, 2001-10-03 at 22:57, Hubert Feyrer wrote:
> On 3 Oct 2001, Charles M. Hannum wrote:
> > > I wonder if it was possible to make the signature part of the +-files, and
> > > if present do the sigature checking? Just like what we do for +MESSAGE
> > > files etc.
> > That would require some Magick, since the tar file itself would change,
> > and you have to be careful about exactly *what* you're checking the
> > signature of. I suppose it might be amusing to always have it be the
> > first file -- i.e. be prefixed to the existing tar file -- and checksum
> > the decompressed image instead.
> Indeed. An alternative would be to checksum each single file, as we do
> right now using MD5 hashes. I don't know PGP enough to tell if that's
> possible, or good in general. (Someone might still add a bad binary at the
> end, unsigned. Then again we could require IF signing is on, it'd be on
> for ALL files). Just some random thoughts...
There's some merit to that, but there are two things to consider:
1) It will bloat the pkgs quite a bit in some cases -- e.g. teTeX-share.
2) It will cause us to produce signatures at a furious rate, increasing
the chances of a birthday attack.
So, I don't think it's a good idea.