On Thu, 10 Feb 2005, Alistair Crooks wrote:
> Every time I have talked about digital signatures to people, they have
> said what a good idea it would be if pkgsrc could support them, or
> requests to show them documentation.  Now I admit that I chose the
> wrong time to add them (September 2001), but it's done, they're there,
> and they could easily be used.  It's just that no-one uses them.  I
> have absolutely no idea why.

If your verification scheme does not look very similar to PGP with
detached signatures, then it's difficult to extend the code to cope
with your new scheme.  (I wanted a scheme that would just call
an external program with the pkg name as an arg, but soon gave
up.  My external script would have grepped for the pkg name in
${RELEASEDIR}/${MACHINE}/binary/syspkgs/MD5 and verified the MD5
checksum.)

--apb (Alan Barrett)