On Sat, 22 Jan 2005, Jan Schaumann wrote:

> Things to consider here is whether or not packages should be signed by
> the developer building them or by a known common key (security-officer?
> a new 'pkgsrc' key?).  This would also entail adding the necessary bits
> to the pkg* tools to verify the signature, which would mean getting PGP
> functionality into the base system.

OpenSSL has a certificate signature system.  This, too, has been discussed
off and on.

> Getting PGP support into the base system would be great, but is unlikely
> at the moment, since surely we don't want gnupg (with the worst human
> interface ever + GPL)...

PGP[i]'s license is even "worse," but in different ways.  8-)

-- 
-- Todd Vierling <tv@duh.org> <tv@pobox.com>