On Thu, 9 Oct 2003, Michal Pasternak wrote:

> > What do you think about have +BUILD_INFO include a BUILDER field with
> > user@hostname:/path/to/pkgsrc and a BUILD_DATE field with the time and
> > date of .install_done ??
>
> It's no use. When I build package from pkgsrc, I know it was build by me. If
> I download package from netbsd.org, I know it was build by NetBSD
> developers. It is really easy to fake such information.

I am not doing this for integrity checking.

Even if a package is built in my network -- I'd like to know who
(automated/bulk-builds user?), when and where (since I build on many
different machines, some using NFS pkgsrc). I could look at timestamps of
files, but that isn't easy enough.

Also, it would be good to know which developer built a package on a
download site. (Again, I know this can be be forged.) Also, packages are
available via non-official NetBSD servers too (such as a solaris packages
project and my soon-to-be-made available Linux packages file server).

> However, packages could be somehow signed (PGP? GnuPG?), so you could know
> then, who *really* built them.

That would be good. But that's another subject.

   Jeremy C. Reed
   http://bsd.reedmedia.net/