Subject: Re: signed binary pkgs
To: None <,>
From: Alan Barrett <>
List: tech-security
Date: 07/25/2005 10:12:17
On Sun, 24 Jul 2005, Hubert Feyrer wrote:
> Please let's just sign the whole file.
> It's more failsafe, and not that difficult to implement, see my other
> posting.

Yes, I'd like to see a signature on the entire ${package}.tgz file.

I'd also like to see an option to sign a bundle of packages, to reduce
the disk space overhead.  I envisage a signed file that contains a list
of {packagename, hash-algorithm, hash-value} tuples, perhaps in the
familiar format that's already used in pkgsrc "distinfo" files.  This
could be especially useful for syspkgs, where there are hundreds of
packages that are all created at once (and could easily be signed all at
once), and where the disk space overhead could be important.

--apb (Alan Barrett)