Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Curt Sampson <cjs@cynic.net>
From: Todd Vierling <tv@duh.org>
List: tech-pkg
Date: 07/23/2005 10:47:56
On Sat, 23 Jul 2005, Curt Sampson wrote:
> > You'd need to sign the +INSTALL and +DEINSTALL scripts too, as they can
> > generate files not tracked by +CONTENTS.
>
> Anything not in the +CONTENTS file itself also needs to be signed
> somehow, right?
+CONTENTS *should* contain all pure files present in the tarball, even
though some of +CONTENTS may be automatically generated. Some extra
plus-files need signing, however, as they (specifically the
INSTALL/DEINSTALL scripts) can generate files not present in +CONTENTS or
the tarball itself at pkg_add time.
--
-- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>