ports/63546: ports/security/libprelude - fetch PGP signature
Daniel Roethlisberger
daniel at roe.ch
Sun Feb 29 23:24:19 UTC 2004
Oliver Eikemeier <eikemeier at fillmore-labs.com> [2004-02-29/22:23]:
> [...] but blindly downloading and verifying a PGP signature is
> actually *less* secure than the md5 checksum in distinfo, and worse,
> it gives a false sense of security.
I don't think anybody meant to replace the md5 checksum with blind PGP
key verifications (blind, as in without a valid certification chain).
But until there is some kind of generic PGP support in bsd.port.mk,
downloading the signatures into distfiles/ is extremely practical for
everybody who wants to *manually* verify PGP signatures on distfiles
against their keyring's web of trust.
The signature files don't actually occupy a significant amount of space,
and take no time to download, so I really see no reason why it should
not be done, unless there's ready to go more generic PGP support in the
ports system soon.
Just my EUR 0.02.
Cheers,
Dan
--
Daniel Roethlisberger <daniel at roe.ch>
GnuPG key ID 0x804A06B1 (DSA/ElGamal)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs/attachments/20040301/70e00385/attachment.sig>
More information about the freebsd-ports-bugs
mailing list