Subject: Re: little hacking project: bulk build checksums
To: None <>
From: Jan Schaumann <>
List: tech-pkg
Date: 01/22/2005 20:49:36
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

grant beattie <> wrote:
> we have the ability to cryptographically sign binary packages, which
> can be automatically verified by pkg_add.

Any details?  Signed by who and how?

> I'd rather the effort be channeled into making this happen, rather
> than adding checksums that will ~never be checked.

Hmmm, are you suggesting that, for the same reason,*SUM are
~never checked?  And should hence not be offered?

Adding the creation of the checksums (for manual checks) to the upload
script should be fairly trivial to do -- extending pkg* tools to
register and check signatures should be a fair bit more complex.

I'm not saying that adding signature checking to pkg* is not a good idea
(on the contrary, I would love to see that), but investing the small
effort of providing at least some checksum seems better to me than lean
back and wait for Somebody Else to work out the more complex task.


What do you mean, why has it got to be built? It's a=20
bypass. Got to build bypasses.

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)