From owner-freebsd-ports-bugs@FreeBSD.ORG Sun Feb 29 13:23:38 2004 Return-Path: Delivered-To: freebsd-ports-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E68D16A4CE for ; Sun, 29 Feb 2004 13:23:38 -0800 (PST) Received: from postman.arcor.de (newsread1.arcor-online.net [151.189.0.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0EAB43D2F for ; Sun, 29 Feb 2004 13:23:37 -0800 (PST) (envelope-from eikemeier@fillmore-labs.com) Received: from fillmore.dyndns.org (port-212-202-51-138.reverse.qsc.de [212.202.51.138]) (authenticated bits=0)i1TLNZtw008917 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 29 Feb 2004 22:23:36 +0100 (MET) Received: from [172.16.0.2] (helo=fillmore-labs.com) by fillmore.dyndns.org with esmtp (Exim 4.30; FreeBSD) id 1AxYPN-000HMw-M3; Sun, 29 Feb 2004 22:23:33 +0100 Message-ID: <40425855.4050006@fillmore-labs.com> Date: Sun, 29 Feb 2004 22:23:33 +0100 From: Oliver Eikemeier Organization: Fillmore Labs GmbH - http://www.fillmore-labs.com/ MIME-Version: 1.0 To: Jason Harris References: <200402292021.i1TKLl7q016441@freefall.freebsd.org> <20040229211208.GA35429@pm1.ric-13.lft.widomaker.com> In-Reply-To: <20040229211208.GA35429@pm1.ric-13.lft.widomaker.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/63546: ports/security/libprelude - fetch PGP signature X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Feb 2004 21:23:38 -0000 Jason Harris wrote: > On Sun, Feb 29, 2004 at 12:21:47PM -0800, Oliver Eikemeier wrote: > >>Synopsis: ports/security/libprelude - fetch PGP signature >> >>State-Changed-From-To: open->closed >>State-Changed-By: eik >>State-Changed-When: Sun Feb 29 21:13:54 CET 2004 >>State-Changed-Why: > >>- this should be more semi-automatic, like HAS_PGPSIGNATURE and `make pgpcheck' >>- this interferes with PR 60558, since you can't simply add USE_GPG/PGP to the Makefile, >> you'll have to correct DISTFILES for that. > >>http://www.freebsd.org/cgi/query-pr.cgi?pr=63546 > > Please review ports/sysutils/coreutils and the many other > ports which currently set USE_GPG?= yes. These are 8 ports: - audio/gnump3d - devel/cvsd - ftp/lftp - misc/less - net/tcping - sysutils/coreutils - www/elinks - www/lynx Unfortunate, but I guess we can fix this. I hope I made my point without offending you, but blindly downloading and verifying a PGP signature is actually *less* secure than the md5 checksum in distinfo, and worse, it gives a false sense of security. Regards Oliver