Re: DISTFILES signature verification

To: Tonnerre Lombard <tonnerre%NetBSD.ch@localhost>
Subject: Re: DISTFILES signature verification
From: Adrian Portelli <adrianp%stindustries.net@localhost>
Date: Mon, 19 Jan 2009 22:09:42 +0000

On 19/1/09 21:57, Tonnerre Lombard wrote:
> Salut, Adrian,
> 
> On Sun, 11 Jan 2009 16:26:32 +0000, Adrian Portelli
>> Comments ?
> 
> Well, using GnuPG for this is slightly unhelpful, since GnuPG is not a
> part of the base, of course. This means that one has to install
> unsigned packages before being able to verify the signatures.

True and your not even guaranteed that any packages will have a
signature anyway.  Some software authors provide them, and some don't.

> 
> I would rather use openssl to create and verify signatures; examples of
> how to do this can be found at
> http://oss.sygroup.ch/cgi-bin/viewvc.cgi/patchadd/tests/Makefile?view=co
> 
>                               Tonnerre

If we were implementing this as an 'in house' (i.e. pkgsrc solution)
then I agree that there are potentially better way to do this using
other, possibly in tree, tools.

However, the signature verification framework is designed to be used for
authors that have made the signature for their software available
themselves.  It's really just meant to take advantage of a feature that
is available now with some packages as opposed to implementing a
solution for all distfiles.

adrian.

Follow-Ups:
- Re: DISTFILES signature verification
  - From: Tonnerre Lombard

References:
- DISTFILES signature verification
  - From: Adrian Portelli
- Re: DISTFILES signature verification
  - From: Tonnerre Lombard

Prev by Date: Re: DISTFILES signature verification
Next by Date: Re: Depending on a package with an option?
Previous by Thread: Re: DISTFILES signature verification
Next by Thread: Re: DISTFILES signature verification
Indexes:

Home | Main Index | Thread Index | Old Index