Subject: Re: little hacking project: bulk build checksums
To: None <tech-pkg@NetBSD.org>
From: Jan Schaumann <jschauma@netmeister.org>
List: tech-pkg
Date: 01/22/2005 12:34:29
--wzJLGUyc3ArbnUjN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Lasse Kliemann <lasse-list-tech-pkg-netbsd-2004@plastictree.net> wrote:
=20
> BTW, how about signing the binary packages themselves?
> Does this make a difference regarding security?
Signed binary packages are something I would *Really* like to see, and
it has been discussed on-again off-again.
Things to consider here is whether or not packages should be signed by
the developer building them or by a known common key (security-officer?
a new 'pkgsrc' key?). This would also entail adding the necessary bits
to the pkg* tools to verify the signature, which would mean getting PGP
functionality into the base system.
Getting PGP support into the base system would be great, but is unlikely
at the moment, since surely we don't want gnupg (with the worst human
interface ever + GPL)...
-Jan
--=20
Of course it runs NetBSD! http://www.netbsd.org
--wzJLGUyc3ArbnUjN
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQFB8o6lfFtkr68iakwRAo7zAJ496DTbK3botL2jKidEysFfjcM1hgCfVPRY
FRPareat1Cs78xad0HQgNt0=
=V2rp
-----END PGP SIGNATURE-----
--wzJLGUyc3ArbnUjN--