[ECFT] pkgng 0.1-alpha1: a replacement for pkg_install
Tim Kientzle
kientzle at freebsd.org
Tue Mar 29 04:42:15 UTC 2011
>>>> II. Package signing.
>>>
>>> That would be really nice.
>>
>> Right know we only planned to sign the repo database, so we can trust
>> the sah256 of the packages stored in the database. Then if the package
>> has the same sha256 as the one in the repo database it is considered
>> trusted.
>> If we want a per-package signing, we would have a tarball in a tarball.
>
> I really expected this to have been mentioned already, but this approach (tarball in a tarball) is taken by Debian packages, and I don't remember hearing of any issues related to it. I don't think it's worth discounting from the start without giving some considerationg, but I will defer to the people actually doing the work.
If you use libarchive-style streaming, it's even
pretty straightforward to read and extract such
things without having to create a bunch of
temporary files.
You just need to be careful about compression.
Tim
More information about the freebsd-ports
mailing list