[ECFT] pkgng 0.1-alpha1: a replacement for pkg_install

Benjamin Kaduk kaduk at MIT.EDU
Tue Mar 29 03:46:09 UTC 2011


On Mon, 28 Mar 2011, Julien Laffaye wrote:

> On Mon, Mar 28, 2011 at 6:59 PM, Garrett Cooper <gcooper at freebsd.org> wrote:
>> On Mon, Mar 28, 2011 at 10:44 AM, Andriy Gapon <avg at freebsd.org> wrote:
>>>
>>> II. Package signing.
>>
>> That would be really nice.
>
> Right know we only planned to sign the repo database, so we can trust
> the sah256 of the packages stored in the database. Then if the package
> has the same sha256 as the one in the repo database it is considered
> trusted.
> If we want a per-package signing, we would have a tarball in a tarball.

I really expected this to have been mentioned already, but this approach 
(tarball in a tarball) is taken by Debian packages, and I don't remember 
hearing of any issues related to it.  I don't think it's worth discounting 
from the start without giving some considerationg, but I will defer to the 
people actually doing the work.

-Ben Kaduk


More information about the freebsd-ports mailing list