Subject: Re: little hacking project: bulk build checksums
To: None <>
From: Jan Schaumann <>
List: tech-pkg
Date: 01/22/2005 12:34:29
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Lasse Kliemann <> wrote:
> BTW, how about signing the binary packages themselves?
> Does this make a difference regarding security?

Signed binary packages are something I would *Really* like to see, and
it has been discussed on-again off-again.

Things to consider here is whether or not packages should be signed by
the developer building them or by a known common key (security-officer?
a new 'pkgsrc' key?).  This would also entail adding the necessary bits
to the pkg* tools to verify the signature, which would mean getting PGP
functionality into the base system.

Getting PGP support into the base system would be great, but is unlikely
at the moment, since surely we don't want gnupg (with the worst human
interface ever + GPL)...


Of course it runs NetBSD!

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)