--=-=-=


"Steven M. Bellovin" <smb@research.att.com> writes:

> So -- what do we want to be checkable, by whom or what, and in what 
> sort of environment?

I want to be able to check binary pkgs and releases (the tarballs and in
the future, syspkg's). Also having the install media signed is a
requirement.

I think it would be cool if pkgsrc's distinfo files could be signed (or the
equvalent), but I don't know how well that would work.

I want the able to have a "update-(sys)pkg" in my cron to fetch the latest
security fixes for src/pkgsrc in releases.

The envirments should be the install media, that fetches the tarballs from
ftp/http and when installed, when updating the pkgs. Since the laster
operations might happen unattended, there is need for machine parsable
policy.

I'm not sure if there is a need to specificly identify indvidual
developers. For me as a sysadmin there is need to identify my users (mostly
for login/webauth problems), but is there is a need for that in NetBSD ?

Love


--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iQEVAwUAQKpGQHW+NPVfDpmCAQKXkgf/bV9wp2OfoRIOLcdijSIJ6lk2aBAfMyUv
nlCWwT8k9tMKZNLFGOv8pWBS3JzPAAvuANm1C4o2n/4rtlv+7Uzxnhfcu/xf+PrX
aXxPZD2Wetvf8kTokSxDBV8951SrBNW9CZv8NmHA1qv/ts8TR+8qfeqZJXRQPOmS
/gYUC7fVBjPMg5G6TLdEQQbB72PCm1tKhF58v4I9SDYM5J3ZRaVsQTuU3EH2a682
Ei8H/hkpDxgbg0Lm2ebgUSpLd3drx1507mCZ00MqL2huUfPu9Ns+dIiJxsGN45oT
SWw49zglL0RiSIwHxLvH46strNcirzzQwxr4eMh3hlWcGpGAk+fGww==
=Is4r
-----END PGP SIGNATURE-----
--=-=-=--