Subject: Re: little hacking project: bulk build checksums
To: Jan Schaumann <>
From: Todd Vierling <>
List: tech-pkg
Date: 01/22/2005 12:54:43
On Sat, 22 Jan 2005, Jan Schaumann wrote:

> Things to consider here is whether or not packages should be signed by
> the developer building them or by a known common key (security-officer?
> a new 'pkgsrc' key?).  This would also entail adding the necessary bits
> to the pkg* tools to verify the signature, which would mean getting PGP
> functionality into the base system.

OpenSSL has a certificate signature system.  This, too, has been discussed
off and on.

> Getting PGP support into the base system would be great, but is unlikely
> at the moment, since surely we don't want gnupg (with the worst human
> interface ever + GPL)...

PGP[i]'s license is even "worse," but in different ways.  8-)

-- Todd Vierling <> <>