Subject: Re: adding gpg to src/gnu/dist
To: None <tech-userlevel@NetBSD.org, tech-security@NetBSD.org>
From: Love <firstname.lastname@example.org>
Date: 05/18/2004 19:22:06
"Steven M. Bellovin" <email@example.com> writes:
> So -- what do we want to be checkable, by whom or what, and in what
> sort of environment?
I want to be able to check binary pkgs and releases (the tarballs and in
the future, syspkg's). Also having the install media signed is a
I think it would be cool if pkgsrc's distinfo files could be signed (or the
equvalent), but I don't know how well that would work.
I want the able to have a "update-(sys)pkg" in my cron to fetch the latest
security fixes for src/pkgsrc in releases.
The envirments should be the install media, that fetches the tarballs from
ftp/http and when installed, when updating the pkgs. Since the laster
operations might happen unattended, there is need for machine parsable
I'm not sure if there is a need to specificly identify indvidual
developers. For me as a sysadmin there is need to identify my users (mostly
for login/webauth problems), but is there is a need for that in NetBSD ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
-----END PGP SIGNATURE-----