From owner-freebsd-ports  Tue Jan  2  9:13:27 2001
From owner-freebsd-ports@FreeBSD.ORG  Tue Jan  2 09:13:24 2001
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220])
	by hub.freebsd.org (Postfix) with ESMTP
	id F3DE037B400; Tue,  2 Jan 2001 09:13:23 -0800 (PST)
Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!)
	by homer.softweyr.com with esmtp (Exim 3.16 #1)
	id 14DV5b-0000A8-00; Tue, 02 Jan 2001 10:19:11 -0700
Sender: wes@FreeBSD.ORG
Message-ID: <3A520D8F.88498372@softweyr.com>
Date: Tue, 02 Jan 2001 10:19:11 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Guido van Rooij <guido@gvr.org>
Cc: Kris Kennaway <kris@FreeBSD.ORG>,
	Mario Sergio Fujikawa Ferreira <lioux@uol.com.br>,
	"Michael C . Wu" <keichii@peorth.iteration.net>, ports@FreeBSD.ORG,
	security-officer@FreeBSD.ORG
Subject: Re: Package signing tools
References: <3A4ED1C0.14061CE5@softweyr.com> <20001231003920.A24519@peorth.iteration.net> <3A4EDCA9.5CEA7114@softweyr.com> <20010101083459.B12422@citusc.usc.edu> <20010101143803.A3416@Fedaykin.here> <3A50C6A8.3E02FAE@softweyr.com> <20010101161001.B3416@Fedaykin.here> <3A50D2B7.5AD86D9E@softweyr.com> <20010102050351.C18277@citusc.usc.edu> <20010102163349.A18885@gvr.gvr.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Guido van Rooij wrote:
> 
> On Tue, Jan 02, 2001 at 05:03:51AM -0800, Kris Kennaway wrote:
> >
> > We need to think about how this is going to be used by the project,
> > too. Packages are built automatically, so they'd need to be signed
> > automatically. That puts the signing machine(s) in a (more) dangerous
> 
> Not necessarily. Though if done after the building phase, there is
> a race that someone breaks into the machine and changes packages
> before they are signed. But such a race alwaysn exists..
> 
> But then again...what exactly does the signing do. IMO signing means
> that the package originated from the FreeBSD project and was not altered
> after release.
        ^^^^^^^^ signing.

And that's all it means.  What you got is what they sent.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message