Subject: Re: signed binary pkgs
To: Alan Barrett <>
From: Curt Sampson <>
List: tech-security
Date: 07/26/2005 10:50:54
On Mon, 25 Jul 2005, Alan Barrett wrote:

> Yes, I'd like to see a signature on the entire ${package}.tgz file.

What are the advantages of this? What are the disadvantages?

> I'd also like to see an option to sign a bundle of packages, to reduce
> the disk space overhead.

It doesn't seem to me that there's going to be so much overhead anyway,
and we'd achieve minimal overhead or very close to it in all cases if we
put the signature in the archive itself.

And signing of bundles seems as if it would be even more of a hassle for
downloaders yet.

I think it's very important to make it as automatic as possible that
signatures come along with packages, no matter how downloaded, so that
they are used as much as possible.

Curt Sampson  <>   +81 90 7737 2974
      Make up enjoying your city life...produced by BIC CAMERA