Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Mar 2011 05:50:41 +0000
From:      Baptiste Daroussin <bapt@freebsd.org>
To:        Tim Kientzle <kientzle@freebsd.org>
Cc:        ports@freebsd.org, hackers@freebsd.org, current@freebsd.org
Subject:   Re: [ECFT] pkgng 0.1-alpha1: a replacement for pkg_install
Message-ID:  <AANLkTinxOYx0zBAti4uqmc7_Adx9Ucnovy9Zf1J=ogPP@mail.gmail.com>
In-Reply-To: <DF9D9589-56C3-40DF-992F-9F62A2FC1173@freebsd.org>
References:  <20110325101111.GA36840__48943.3474642739$1301049771$gmane$org@azathoth.lan> <4D90C8EA.2000901@freebsd.org> <AANLkTinaz9Y6kgjQvdS1Pu%2Bkay50DUs6FubcbCxcc3W2@mail.gmail.com> <AANLkTi=uPaaxUVUDL3CPWByOeOZ2TjziUbrY7pJLQyAa@mail.gmail.com> <alpine.GSO.1.10.1103282328340.19944@multics.mit.edu> <DF9D9589-56C3-40DF-992F-9F62A2FC1173@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
2011/3/29 Tim Kientzle <kientzle@freebsd.org>:
>>>>> II. Package signing.
>>>>
>>>> That would be really nice.
>>>
>>> Right know we only planned to sign the repo database, so we can trust
>>> the sah256 of the packages stored in the database. Then if the package
>>> has the same sha256 as the one in the repo database it is considered
>>> trusted.
>>> If we want a per-package signing, we would have a tarball in a tarball.
>>
>> I really expected this to have been mentioned already, but this approach=
 (tarball in a tarball) is taken by Debian packages, and I don't remember h=
earing of any issues related to it. =A0I don't think it's worth discounting=
 from the start without giving some considerationg, but I will defer to the=
 people actually doing the work.
>
> If you use libarchive-style streaming, it's even
> pretty straightforward to read and extract such
> things without having to create a bunch of
> temporary files.
>
> You just need to be careful about compression.
>
> Tim
>
>

ok but what is the problem with signing only the repository then rely on di=
gest?

I am not sure we need more that this.

second question howto sign? pgp? ssl?

First would be the easiest way to go but we don't have in base
anything to check signatures (maybe we should in that case
investigating to import netpgp), ssl why not? but which algorithm?
what security officer would prefer?

We are ok to investigate that part, but we need more information about
what is expected.

regards,
Bapt



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinxOYx0zBAti4uqmc7_Adx9Ucnovy9Zf1J=ogPP>