On Tue, 3 Oct 2006 20:52:51 +0200, Christian Biere <christianbiere@gmx.de>
wrote:

> Hi,
> 
> I wonder why isn't pkg-vulnerabilities compressed?
> The file is already over 200 kB large and compresses
> quite well to about 10% of its size.

Compressed storage on the local machine is probably a bad idea, since it
would need to be decompressed several times for each package built.  And
it's probably pointless -- look at how big pkgsrc is, and ask if 200KB
makes that much difference.

> Further, why
> isn't it signed or at least transferred over TLS?
> Using Subversion instead or as alternative would be
> good idea as well, IMHO.

A digital signature would be a good idea -- verify it at download time.
Using TLS would put a lot more load on ftp.netbsd.org, and wouldn't help
at all if you were using a mirror.




		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb