tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: DISTFILES signature verification



On 19/1/09 21:57, Tonnerre Lombard wrote:
> Salut, Adrian,
> 
> On Sun, 11 Jan 2009 16:26:32 +0000, Adrian Portelli
>> Comments ?
> 
> Well, using GnuPG for this is slightly unhelpful, since GnuPG is not a
> part of the base, of course. This means that one has to install
> unsigned packages before being able to verify the signatures.

True and your not even guaranteed that any packages will have a
signature anyway.  Some software authors provide them, and some don't.

> 
> I would rather use openssl to create and verify signatures; examples of
> how to do this can be found at
> http://oss.sygroup.ch/cgi-bin/viewvc.cgi/patchadd/tests/Makefile?view=co
> 
>                               Tonnerre

If we were implementing this as an 'in house' (i.e. pkgsrc solution)
then I agree that there are potentially better way to do this using
other, possibly in tree, tools.

However, the signature verification framework is designed to be used for
authors that have made the signature for their software available
themselves.  It's really just meant to take advantage of a feature that
is available now with some packages as opposed to implementing a
solution for all distfiles.

adrian.


Home | Main Index | Thread Index | Old Index