Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Todd Vierling <tv@duh.org>
From: Simon J. Gerraty <sjg@crufty.net>
List: tech-security
Date: 07/30/2005 21:58:40
>> I've always disliked using compressed tar format for packages anyway--it
>> makes it inefficient to examine or extract components without reading
>> the whole thing.  Last I looked at the package code (5+ years ago),

FWIW, the simple pkg_add script I mentioned earlier handles a directory as the
package.  On space/cpu constrained systems you can unpack as you download, then
run pkg_add against the directory.  This is eaier to do if the package contains
.sig's for all the important files.  If there were a +CONTENTS.sig, then it 
would be simple to verify that and bail if it fails or if any files listed 
were missing or any files present that were not listed.

--sjg