Date: Wed, 07 Feb 2001 10:33:45 -0700 From: Wes Peters <wes@softweyr.com> To: Maxim Sobolev <sobomax@FreeBSD.org> Cc: ports@FreeBSD.org Subject: Re: Package integrity check? Message-ID: <3A8186F9.CF98EB75@softweyr.com> References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> <3A802FAF.792F61F5@softweyr.com> <3A8030F0.EA4D3A99@FreeBSD.org> <3A8108A2.DB335434@softweyr.com> <3A811E72.125885CD@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Sobolev wrote:
>
> Wes Peters wrote:
>
> > Maxim Sobolev wrote:
> > >
> > > Wes Peters wrote:
> > >
> > > Are you going to reply to my question why general utility for signing
> > > gzip-compressed files has been added into pkg_install module? IMHO it's better to
> > > add it in its own directory under usr.bin, because it's not pkg_install specific at
> > > all.
> >
> > If you'd just read the code you'd find that your assertion isn't true. I'm
> > really astonished at the amount of rhetoric being flung about by this commit
> > from people who obviously haven't bothered to look at the code. Please feel
> > free to return with sensible comments when you have actually read the code.
>
> It's wrong assertion. I did read the code but was unable to find any traces indicating
> that pkg_sign is using any pkg_install infrastructure. Moreover, even pkg_sign manpage
> indicates that it's just a general utility to sign gzip-compressed archives, so my
> question is a pretty valid. You are partially answered it in your another e-mail on the
> topic (it's where it located in OpenBSD), but this is not a very strong point, as poor
> architectural choices of one project should not be automatically inherited by another
> just because 'it's how they did it'.
Go back and read the SHA1 code.
As indicated in another mail, Jeremy Lea has suggested some ways to
improve this, within the framework of the improved version of the
packaging tools he is working on. The signatures are stuck in the gzip
header right now because it is simple to extract the the signature and
because currently all packages are gzipped.
Stuffing the signature inside the the compressed/signed data leads to
nasty chicken-and-egg problems where you have to uncompress the data to
retrieve the signature, and where the signature itself modifies the
data you are trying to sign. Whatever format is chosen for packaging
tools would be wise to include some facility for attaching a signature
that is external to the compressed contents of the package itself. The
ability to attach and verify multiple signatures might be of some value
too; the current tools allow that but don't really verify them well.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A8186F9.CF98EB75>