Re: Merge of pkg_install-renovation

To: tech-pkg%netbsd.org@localhost
Subject: Re: Merge of pkg_install-renovation
From: Alistair Crooks <agc%pkgsrc.org@localhost>
Date: Wed, 5 Nov 2008 02:35:56 +0000

On Tue, Nov 04, 2008 at 01:43:48PM +0100, Joerg Sonnenberger wrote:
> Regressions:
> - currently no support for GPG based signatures
>   - existing support only ever worked for local packages anyway and even
>     in that case TOCTOA issues remained, so running gpg by hand before is
>     as secure as the old code
>   - the signature format can be easily extended to deal with GPG signatures
>     once the issue of having a proper standalone library exists; hacks to
>     call gpg would be possible, but have issues like bootstrapping

Yes, these are both true (the local packages thing is stretching it a
bit, it's only binary package grabbing that you're talking about, but
whatever), but they are still regressions.

I'd like to see the previous support for gpg (and pgp) restored before
this is merged. And, yes, I'm doing my best to get the second one done
from a library, but it will have to be done to my own timescales, and it
may not be done tomorrow. But having gpg signatures is important to me,
and I see no reason for a regression here.

Thanks,
Alistair

Follow-Ups:
- Re: Merge of pkg_install-renovation
  - From: Thomas Klausner
- Re: Merge of pkg_install-renovation
  - From: Joerg Sonnenberger

References:
- Merge of pkg_install-renovation
  - From: Joerg Sonnenberger

Prev by Date: daily pkgsrc CVS update output
Next by Date: OpenGL acceleration will be needed by gnome-games-2.26
Previous by Thread: Re: Merge of pkg_install-renovation
Next by Thread: Re: Merge of pkg_install-renovation
Indexes:

Home | Main Index | Thread Index | Old Index