Date: Tue, 28 Jan 2003 12:32:53 -0500 From: Jason Harris <jharris@widomaker.com> To: "Simon 'corecode' Schubert" <corecode@corecode.ath.cx> Cc: ports@freebsd.org, Jason Harris <jharris@widomaker.com> Subject: Re: ports/47563: [maintainer-update] ports/www/elinks 0.3.2 -> 0.4.2 Message-ID: <20030128173253.GA417@pm1.ric-46.lft.widomaker.com> In-Reply-To: <20030128121225.050b2325.corecode@corecode.ath.cx> References: <200301271923.h0RJNBQ01808@pm1.ric-17.lft.widomaker.com> <20030128121225.050b2325.corecode@corecode.ath.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
--rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 28, 2003 at 12:12:25PM +0100, Simon 'corecode' Schubert wrote: > Lately Jason Harris told: [adding PGP signatures for ports/www/elinks to distinfo] [distinfo data snipped so I don't sign potentially modified values :) ] > i understand this is not specific to this update (thus sent to ports@) > but still i'd like to discuss about it: >=20 > o is there a point in fetching the signature when it's not being checked > by the ports' infrastructure (and thus ignored while building / > installing)? I like the extra assurance that the files are authentic, but hunting down signatures manually is a real pain. Fetching them automatically also brings attention to their existence. > do we optionally want to introduce such a feature? but how do we check > for the validity of the signature? add the key fingerprint to the port > and let gnupg fetch the key automatically? include the key itself? >=20 > i think it might be an interresting thing to do, but is this needed in > aspect of us already recording md5s? The files in the ports tree are not PGP-signed. If an attacker can modify MD5 hashes in distinfo files, they can modify the recorded key fingerprints as well. I PGP-sign my PRs so the MD5 hashes can be verified, but these signatures don't (can't) get recorded in the ports tree. If the distinfo files, at minimum, were PGP-signed by the ports committers, this would allow easy verification of their contents. Patches in ports/*/*/files/ can also be clearsigned (w/o dash escaping) - patch(1) skips PGP signatures without complaining. Makefiles would need detached signatures to not confuse make(1), however. Signing pkg-plist files is also recommended. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+Nr7ESypIl9OdoOMRAqCbAJ9uvCd6uvxEXCKorJpMCRRrtgJHywCgoQJP 7qloo8NcJvQ+K4PO7z+RRqE= =HXM2 -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030128173253.GA417>