Cryptographically enabled ports tree.
Colin Percival
colin.percival at wadham.ox.ac.uk
Sat Jun 21 20:52:26 PDT 2003
At 20:36 21/06/2003 -0700, David Schultz wrote:
>On Sun, Jun 22, 2003, Colin Percival wrote:
> > What we need is something integrated into the CVS system which rebuilds
> > the necessary signatures every time the ports tree is modified, and
> commits
> > those into the CVS tree. Any CVS experts around who could say how to do
> > this?
>
>You don't even have to do that. The tree just needs to be signed
>once for every release.
If that's all you want, download the release ISO image; you can verify
its MD5 hash against the signed announcement, mount the ISO, and install
the ports tree.
>I don't
>see why people need to update their ports tree more often than
>once a release.
Well, there are these ugly things called security bugs.
>Granted, anyone who wanted to offer a (less secure) daily port
>tree signing service or something, they could easily do so with
>access to cvsup-master.
True, but that wouldn't be transparent. People would have to tell cvsup
to fetch a particular snapshot of the ports tree, to match the most recent
signature; much better if they can cvsup as per normal, get the latest
versions of everything, and have the signature come along automatically.
> (It used to be you could talk to jdp@ for
>this; I'm not sure who is responsible now.)
cvsup-master is now owned by kuriyama at .
> Actually, I'm not
>sure whether cvsup's authentication is one-way or two-way, though.
Two-way.
Colin Percival
More information about the freebsd-chat
mailing list