From owner-freebsd-ports Tue Jan 28 9:33:33 2003 Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0AB937B401 for ; Tue, 28 Jan 2003 09:33:31 -0800 (PST) Received: from pm1.ric-46.lft.widomaker.com (pm1.ric-46.lft.widomaker.com [209.96.189.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE06143E4A for ; Tue, 28 Jan 2003 09:33:29 -0800 (PST) (envelope-from jason@pm1.ric-46.lft.widomaker.com) Received: (from jason@localhost) by pm1.ric-46.lft.widomaker.com (8.11.3/8.11.3) id h0SHX0K00653; Tue, 28 Jan 2003 12:33:00 -0500 (EST) (envelope-from jason) Date: Tue, 28 Jan 2003 12:32:53 -0500 From: Jason Harris To: "Simon 'corecode' Schubert" Cc: ports@freebsd.org, Jason Harris Subject: Re: ports/47563: [maintainer-update] ports/www/elinks 0.3.2 -> 0.4.2 Message-ID: <20030128173253.GA417@pm1.ric-46.lft.widomaker.com> References: <200301271923.h0RJNBQ01808@pm1.ric-17.lft.widomaker.com> <20030128121225.050b2325.corecode@corecode.ath.cx> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ" Content-Disposition: inline In-Reply-To: <20030128121225.050b2325.corecode@corecode.ath.cx> User-Agent: Mutt/1.4i Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 28, 2003 at 12:12:25PM +0100, Simon 'corecode' Schubert wrote: > Lately Jason Harris told: [adding PGP signatures for ports/www/elinks to distinfo] [distinfo data snipped so I don't sign potentially modified values :) ] > i understand this is not specific to this update (thus sent to ports@) > but still i'd like to discuss about it: >=20 > o is there a point in fetching the signature when it's not being checked > by the ports' infrastructure (and thus ignored while building / > installing)? I like the extra assurance that the files are authentic, but hunting down signatures manually is a real pain. Fetching them automatically also brings attention to their existence. > do we optionally want to introduce such a feature? but how do we check > for the validity of the signature? add the key fingerprint to the port > and let gnupg fetch the key automatically? include the key itself? >=20 > i think it might be an interresting thing to do, but is this needed in > aspect of us already recording md5s? The files in the ports tree are not PGP-signed. If an attacker can modify MD5 hashes in distinfo files, they can modify the recorded key fingerprints as well. I PGP-sign my PRs so the MD5 hashes can be verified, but these signatures don't (can't) get recorded in the ports tree. If the distinfo files, at minimum, were PGP-signed by the ports committers, this would allow easy verification of their contents. Patches in ports/*/*/files/ can also be clearsigned (w/o dash escaping) - patch(1) skips PGP signatures without complaining. Makefiles would need detached signatures to not confuse make(1), however. Signing pkg-plist files is also recommended. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+Nr7ESypIl9OdoOMRAqCbAJ9uvCd6uvxEXCKorJpMCRRrtgJHywCgoQJP 7qloo8NcJvQ+K4PO7z+RRqE= =HXM2 -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message