Date: Mon, 28 Mar 2011 23:31:03 -0400 (EDT) From: Benjamin Kaduk <kaduk@MIT.EDU> To: Julien Laffaye <jlaffaye@freebsd.org> Cc: ports@freebsd.org, Baptiste Daroussin <bapt@freebsd.org>, hackers@freebsd.org Subject: Re: [ECFT] pkgng 0.1-alpha1: a replacement for pkg_install Message-ID: <alpine.GSO.1.10.1103282328340.19944@multics.mit.edu> In-Reply-To: <AANLkTi=uPaaxUVUDL3CPWByOeOZ2TjziUbrY7pJLQyAa@mail.gmail.com> References: <20110325101111.GA36840__48943.3474642739$1301049771$gmane$org@azathoth.lan> <4D90C8EA.2000901@freebsd.org> <AANLkTinaz9Y6kgjQvdS1Pu%2Bkay50DUs6FubcbCxcc3W2@mail.gmail.com> <AANLkTi=uPaaxUVUDL3CPWByOeOZ2TjziUbrY7pJLQyAa@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 28 Mar 2011, Julien Laffaye wrote: > On Mon, Mar 28, 2011 at 6:59 PM, Garrett Cooper <gcooper@freebsd.org> wrote: >> On Mon, Mar 28, 2011 at 10:44 AM, Andriy Gapon <avg@freebsd.org> wrote: >>> >>> II. Package signing. >> >> That would be really nice. > > Right know we only planned to sign the repo database, so we can trust > the sah256 of the packages stored in the database. Then if the package > has the same sha256 as the one in the repo database it is considered > trusted. > If we want a per-package signing, we would have a tarball in a tarball. I really expected this to have been mentioned already, but this approach (tarball in a tarball) is taken by Debian packages, and I don't remember hearing of any issues related to it. I don't think it's worth discounting from the start without giving some considerationg, but I will defer to the people actually doing the work. -Ben Kaduk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1103282328340.19944>