Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Curt Sampson <cjs@cynic.net>
From: Todd Vierling <tv@duh.org>
List: tech-security
Date: 07/23/2005 10:47:56
On Sat, 23 Jul 2005, Curt Sampson wrote:

> > You'd need to sign the +INSTALL and +DEINSTALL scripts too, as they can
> > generate files not tracked by +CONTENTS.
>
> Anything not in the +CONTENTS file itself also needs to be signed
> somehow, right?

+CONTENTS *should* contain all pure files present in the tarball, even
though some of +CONTENTS may be automatically generated.  Some extra
plus-files need signing, however, as they (specifically the
INSTALL/DEINSTALL scripts) can generate files not present in +CONTENTS or
the tarball itself at pkg_add time.

-- 
-- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>