ports/63546: ports/security/libprelude - fetch PGP signature
Thomas-Martin Seck
tmseck-lists at netcologne.de
Mon Mar 1 06:50:19 UTC 2004
The following reply was made to PR ports/63546; it has been noted by GNATS.
From: tmseck-lists at netcologne.de (Thomas-Martin Seck)
To: bug-followup at freebsd.org
Cc:
Subject: Re: ports/63546: ports/security/libprelude - fetch PGP signature
Date: 1 Mar 2004 06:49:38 -0000
* Jason Harris <jharris at widomaker.com> [gmane.os.freebsd.devel.ports.bugs]:
> On Sun, Feb 29, 2004 at 10:23:33PM +0100, Oliver Eikemeier wrote:
>
>> Unfortunate, but I guess we can fix this. I hope I made my point without
>> offending you, but blindly downloading and verifying a PGP signature is
>> actually *less* secure than the md5 checksum in distinfo, and worse, it
>> gives a false sense of security.
I agree with you here.
> No offense taken - your presumptions about security plague many.
This has -- IMO -- nothing to do with security. It is already the
(unwritten) maintainer's duty to verify a signed distfile and it is (or
really should be) the committer's duty to do the same. The only purpose
of an automated check on the user's end would just be a check whether a
maintainer/committer was careless or part of a grand "let's trojan
FreeBSD" conspiracy.
More information about the freebsd-ports-bugs
mailing list