[ECFT] pkgng 0.1-alpha1: a replacement for pkg_install

Baptiste Daroussin bapt at freebsd.org
Tue Mar 29 05:51:02 UTC 2011

2011/3/29 Tim Kientzle <kientzle at freebsd.org>:
>>>>> II. Package signing.
>>>> That would be really nice.
>>> Right know we only planned to sign the repo database, so we can trust
>>> the sah256 of the packages stored in the database. Then if the package
>>> has the same sha256 as the one in the repo database it is considered
>>> trusted.
>>> If we want a per-package signing, we would have a tarball in a tarball.
>> I really expected this to have been mentioned already, but this approach (tarball in a tarball) is taken by Debian packages, and I don't remember hearing of any issues related to it.  I don't think it's worth discounting from the start without giving some considerationg, but I will defer to the people actually doing the work.
> If you use libarchive-style streaming, it's even
> pretty straightforward to read and extract such
> things without having to create a bunch of
> temporary files.
> You just need to be careful about compression.
> Tim

ok but what is the problem with signing only the repository then rely on digest?

I am not sure we need more that this.

second question howto sign? pgp? ssl?

First would be the easiest way to go but we don't have in base
anything to check signatures (maybe we should in that case
investigating to import netpgp), ssl why not? but which algorithm?
what security officer would prefer?

We are ok to investigate that part, but we need more information about
what is expected.


More information about the freebsd-ports mailing list