Subject: Re: binary packages for the dreamcast
To: None <firstname.lastname@example.org>
From: grant beattie <email@example.com>
Date: 02/06/2003 08:58:33
On Wed, Feb 05, 2003 at 11:19:47AM -0500, Jan Schaumann wrote:
> Note that I have not yet verified the packages, so should Alex turn out
> to be Evil Incarnate and you installed any of the packages, he might own
> your box. ;-P Not that there is any reason to believe this - I just
> wanted to point out the inherent dangers of installing binary packages
> which you did not create yourself.
Speaking of which...
We currently do not provide any checksums for binary packages on
ftp.netbsd.org, thus, users have no way to determine whether packages
are authentic or have been hacked -- why should users trust us more
than anyone else? ;)
I realise we have the ability to pgp sign packages, but we are not
currently using it for the bulk-builds.
Having our binary packages exposed in this way is a serious problem.
Is there any work being done to address this?