Subject: Re: BPG call for use cases
To: Simon J. Gerraty <firstname.lastname@example.org>
From: Curt Sampson <email@example.com>
Date: 07/31/2005 13:51:36
On Sat, 30 Jul 2005, Simon J. Gerraty wrote:
> I'm late to the party again, but fwiw, I've been using "signed"
> packages at work for sometime. This is typically done as a wrapper
> package - that contains the original .tgz and a .tgz.sig and the bits
> needed to verify it. Customers can only access the "signed" packages
> For more recent packaging, the .sig's are an integral part of the
> packaging and are verified by the +INSTALL script.
Can you explain the details of how you're doing this?
(I've added tech-pkg to the list; there's been a fair amount of
discussion there about different ways of implementing this.)
> Even more recently, I replaced pkg_add with a rather simple shell
> script (does all the pkg_add functionality that we use), with the big
> difference being that it insists on verifying the .sig's before even
> running the +REQUIRE. That's rather important for FIPS compliance...
I'll keep that in mind.
> BTW, updating pkg_* to use sha1 hashes (or better yet sha2) rather
> than md5 would be a useful improvement.
I've been anticipating a generic archive signing mechanism that would
let you use your choice of as many different hash types as you want, a
la pkgsrc distinfo files.
Curt Sampson <firstname.lastname@example.org> +81 90 7737 2974 http://www.NetBSD.org
Make up enjoying your city life...produced by BIC CAMERA