Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Simon J. Gerraty <>
From: Curt Sampson <>
List: tech-security
Date: 07/31/2005 14:15:41
On Sat, 30 Jul 2005, Simon J. Gerraty wrote:

>>> Please let's just sign the whole file.
>>> It's more failsafe, and not that difficult to implement, see my other
>>> posting.
>> It's a PITA for users.

> No it isn't. My users have been doing this for years. They add
> foo-signed.tgz it gets unpacked and contains foo.tgz and foo.tgz.sig,
> its +INSTALL is totally generic - it verifies the .sig and only if it
> is ok, pkg_delete's foo and then adds foo.tgz
> The trick is to not actuall make foo.tgz available to users ;-)

In other words, you've replaced the current mechanism so that the user
sees a single file, and uses a single command to verify the signature
and do the package install.

That's my proposal too.

As I understand it, the other proposal was that the user have to
download the signature file separately from the package file, and
possibly even use the current pkgsrc mechanism which will, using the
"standard way" of adding a package, ignore the signature file completely
and just do the install.

Curt Sampson  <>   +81 90 7737 2974
      Make up enjoying your city life...produced by BIC CAMERA