Re: pkg-vulnerabilities

To: Christian Biere <christianbiere%gmx.de@localhost>
Subject: Re: pkg-vulnerabilities
From: "Steven M. Bellovin" <smb%cs.columbia.edu@localhost>
Date: Tue, 3 Oct 2006 16:41:22 -0400

On Tue, 3 Oct 2006 20:52:51 +0200, Christian Biere 
<christianbiere%gmx.de@localhost>
wrote:

> Hi,
> 
> I wonder why isn't pkg-vulnerabilities compressed?
> The file is already over 200 kB large and compresses
> quite well to about 10% of its size.

Compressed storage on the local machine is probably a bad idea, since it
would need to be decompressed several times for each package built.  And
it's probably pointless -- look at how big pkgsrc is, and ask if 200KB
makes that much difference.

> Further, why
> isn't it signed or at least transferred over TLS?
> Using Subversion instead or as alternative would be
> good idea as well, IMHO.

A digital signature would be a good idea -- verify it at download time.
Using TLS would put a lot more load on ftp.netbsd.org, and wouldn't help
at all if you were using a mirror.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Follow-Ups:
- Re: pkg-vulnerabilities
  - From: Geert Hendrickx
- Re: pkg-vulnerabilities
  - From: Christian Biere

References:
- pkg-vulnerabilities
  - From: Christian Biere

Prev by Date: Re: cross compile...
Next by Date: Re: pkg-vulnerabilities
Previous by Thread: pkg-vulnerabilities
Next by Thread: Re: pkg-vulnerabilities
Indexes:

Home | Main Index | Thread Index | Old Index