Re: Reasons for having SHA512?

[Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost>]

On 13.06.2011 23:35, Aleksey Cheusov wrote:
> If we sign pkg_summary(5) containing sha512 and rmd160 cksums (just like
> we do for distfiles) for all packages, is it really necessary to sign
> every package individually?  I think no. It seems to me that we can just
> remove some unnecessary code from pkg_admin(8) and keep pkg_summary(5)
> and binary packages on ftp:// always in sync.

From a management perspective, single pkg signature are a necessity in
different setups, most notably:

1 - building standalone/offline pkgs: requires to download a third party
file, to which we apply signature check then check pkg checksum. Some
Linux distros do that, and it's a PITA when you want to sign your own
pkg without having to deploy a half-arsed repository behind. It's
especially tiresome when the sig is not "attached" to the pkg (think
about pkg fetched inside distfiles/ -- without the pkg_summary file
around, they are almost useless as you won't be able to check the sig at
pkg_add(1) time).

2 - someone sets up a system where packages have signatures coming from
different people (lets say: foo is in charge of building binary pkg A
and bar is in charge of pkg B): how/what would you do to check sigs
here? Forcing foo/bar to deploy their own repo?

IMHO, pkg should be uniquely signed at build/package time (depending on
configuration). Although pkg_summary signing looks lighter, it raises
some questions. Using hashes in a third party file for some sort of
"transitivity" signing scheme looks like a route full of traps.

-- 
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost