cvs commit: ports/audio/gnump3d Makefile distinfo ports/devel/bglibs Makefile ports/devel/cppi Makefile ports/devel/cvsd Makefile ports/dns/walker Makefile distinfo ports/ftp/lftp Makefile distinfo ports/ftp/twoftpd Makefile ...

[Kirill Ponomarew]

On Mon, Jan 29, 2007 at 07:52:42PM -0500, Jason Harris wrote:
> On Mon, Jan 29, 2007 at 07:05:07PM +0000, Gabor Kovesdan wrote:
> > gabor       2007-01-29 19:05:07 UTC
> > 
> >   FreeBSD ports repository
> > 
> >   Modified files:
> 
> >   Log:
> >   Remove USE_GPG from all effected ports. This knob is a no-op and the way it
> >   was supposed to work is useless, because if we can't trust the distfile from
> >   the remote machine, we can't trust the signature from the same machine either.
> >   Our MD5 and SHA256 are good for checking both the sanity and the
> >   trustiness of distfiles.
> >   
> >   Approved by:    portmgr (erwin), erwin (mentor)
> 
> Please revert this.  
> 
> And, more importantly, please respect MAINTAINERs' wishes to make
> their ports more secure, by allowing the _automatic_ checking of
> GPG signatures as a first line of defense, rather than less secure.

This "_automatic_ checking of GPG signatures" never worked and
doesn't work since no code was put into bsd.port.mk

IIRC we (portmgr) discussed the concerns about USE_GPG some years
ago and declined this idea per se.

-Kirill