Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Curt Sampson <firstname.lastname@example.org>
From: Todd Vierling <email@example.com>
Date: 07/23/2005 10:47:56
On Sat, 23 Jul 2005, Curt Sampson wrote:
> > You'd need to sign the +INSTALL and +DEINSTALL scripts too, as they can
> > generate files not tracked by +CONTENTS.
> Anything not in the +CONTENTS file itself also needs to be signed
> somehow, right?
+CONTENTS *should* contain all pure files present in the tarball, even
though some of +CONTENTS may be automatically generated. Some extra
plus-files need signing, however, as they (specifically the
INSTALL/DEINSTALL scripts) can generate files not present in +CONTENTS or
the tarball itself at pkg_add time.
-- Todd Vierling <firstname.lastname@example.org> <email@example.com> <firstname.lastname@example.org>