[ECFT] pkgng 0.1-alpha1: a replacement for pkg_install
Benjamin Kaduk
kaduk at MIT.EDU
Tue Mar 29 03:46:09 UTC 2011
On Mon, 28 Mar 2011, Julien Laffaye wrote:
> On Mon, Mar 28, 2011 at 6:59 PM, Garrett Cooper <gcooper at freebsd.org> wrote:
>> On Mon, Mar 28, 2011 at 10:44 AM, Andriy Gapon <avg at freebsd.org> wrote:
>>>
>>> II. Package signing.
>>
>> That would be really nice.
>
> Right know we only planned to sign the repo database, so we can trust
> the sah256 of the packages stored in the database. Then if the package
> has the same sha256 as the one in the repo database it is considered
> trusted.
> If we want a per-package signing, we would have a tarball in a tarball.
I really expected this to have been mentioned already, but this approach
(tarball in a tarball) is taken by Debian packages, and I don't remember
hearing of any issues related to it. I don't think it's worth discounting
from the start without giving some considerationg, but I will defer to the
people actually doing the work.
-Ben Kaduk
More information about the freebsd-hackers
mailing list