Date: Mon, 1 Jan 2001 17:42:29 -0200 From: "Mario Sergio Fujikawa Ferreira" <lioux@uol.com.br> To: Wes Peters <wes@softweyr.com> Cc: freebsd-ports@freebsd.org, sobomax@freebsd.org Subject: Re: Package signing tools Message-ID: <20010101174229.C3416@Fedaykin.here> In-Reply-To: <3A50D2B7.5AD86D9E@softweyr.com>; from wes@softweyr.com on Mon, Jan 01, 2001 at 11:55:29AM -0700 References: <3A4ED1C0.14061CE5@softweyr.com> <20001231003920.A24519@peorth.iteration.net> <3A4EDCA9.5CEA7114@softweyr.com> <20010101083459.B12422@citusc.usc.edu> <20010101143803.A3416@Fedaykin.here> <3A50C6A8.3E02FAE@softweyr.com> <20010101161001.B3416@Fedaykin.here> <3A50D2B7.5AD86D9E@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 01, 2001 at 11:55:29AM -0700, Wes Peters wrote: > Mario Sergio Fujikawa Ferreira wrote: > > > > On Mon, Jan 01, 2001 at 11:04:02AM -0700, Wes Peters wrote: > > > Mario Sergio Fujikawa Ferreira wrote: > > > > > > > > On Mon, Jan 01, 2001 at 08:34:37AM -0800, Kris Kennaway wrote: > > > > > On Sun, Dec 31, 2000 at 12:13:45AM -0700, Wes Peters wrote: > > > > > > > > > > > Yeah, it's a good idea, but this is really a simple standalone program. > > > > > > It doesn't prevent you from pkg_add'ing something, you have to chose to > > > > > > pkg_check it and see if the result is kosher. It is at this time orthogonal > > > > > > to pkg_version. > > > > > > > > > > Checking the signature should be automatic and part of pkg_add, which > > > > > should refuse to add the package if it fails. > > > > > > > > And, "smart users" should be allowed to bypass this if > > > > they wish so. ;) > > > > Just like checksum. But, with scarier warnings. > > > > > > Right. Should checking the signature be the default, with an option to > > > skip it, or should it be optional to pkg_add? > > > > I think that it should be optional for now. > > We have an awful amount of non-signed packages floating > > around the net. Then, with the next release comes (4.3R or whatever), > > this should become the default. > > I don't see pkg_add refusing to add an unsigned package, since as of yet > no signed packages exist. I can see telling the user the package is > unsigned and asking if you want to continue, unless -f has been specified. > > > Unless, of course, that not-having a signature would be > > considered all right for old packages (as a compability note). > > Anything we could include in the packages aside of the signature > > to allow us to identify them as "new" or "old"? > > Don't sign them? ;^) That's exactly what I had implied by "aside of the signature". ;-) Ain't we cute. Heheheh I would like a better way other than signature. Or, another way besides it. There is always someone who can find a very valid reason for a packet to be "new" and not signed. I am just asking, we can always rule all non-signed "old". Is sobomax's plist info addition feaseble for that kind of "version" detection? -- Mario S F Ferreira - UnB - Brazil - "I guess this is a signature." lioux at ( freebsd dot org | linf dot unb dot br ) flames to beloved devnull@someotherworldbeloworabove.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010101174229.C3416>