Subject: Re: pkg-vulnerabilities
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Geert Hendrickx <ghen@NetBSD.org>
List: pkgsrc-users
Date: 10/04/2006 09:20:54
On Tue, Oct 03, 2006 at 04:41:22PM -0400, Steven M. Bellovin wrote:
> Compressed storage on the local machine is probably a bad idea, since it
> would need to be decompressed several times for each package built.  And
> it's probably pointless -- look at how big pkgsrc is, and ask if 200KB
> makes that much difference.

It's not about storage, but about the download itself.  I think providing a
bzip2'ed version would be a good idea.

Btw, you can rsync pkg-vulnerabilities...

> A digital signature would be a good idea -- verify it at download time.
> Using TLS would put a lot more load on ftp.netbsd.org, and wouldn't help
> at all if you were using a mirror.

Agreed; the file should be signed/secured, not the connection.

	Geert