ports/63546: ports/security/libprelude - fetch PGP signature
Oliver Eikemeier
eikemeier at fillmore-labs.com
Sun Feb 29 21:23:38 UTC 2004
Jason Harris wrote:
> On Sun, Feb 29, 2004 at 12:21:47PM -0800, Oliver Eikemeier wrote:
>
>>Synopsis: ports/security/libprelude - fetch PGP signature
>>
>>State-Changed-From-To: open->closed
>>State-Changed-By: eik
>>State-Changed-When: Sun Feb 29 21:13:54 CET 2004
>>State-Changed-Why:
>
>>- this should be more semi-automatic, like HAS_PGPSIGNATURE and `make pgpcheck'
>>- this interferes with PR 60558, since you can't simply add USE_GPG/PGP to the Makefile,
>> you'll have to correct DISTFILES for that.
>
>>http://www.freebsd.org/cgi/query-pr.cgi?pr=63546
>
> Please review ports/sysutils/coreutils and the many other
> ports which currently set USE_GPG?= yes.
These are 8 ports:
- audio/gnump3d
- devel/cvsd
- ftp/lftp
- misc/less
- net/tcping
- sysutils/coreutils
- www/elinks
- www/lynx
Unfortunate, but I guess we can fix this. I hope I made my point without
offending you, but blindly downloading and verifying a PGP signature is
actually *less* secure than the md5 checksum in distinfo, and worse, it
gives a false sense of security.
Regards
Oliver
More information about the freebsd-ports-bugs
mailing list