Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 1 Mar 2004 00:22:22 +0100
From:      Daniel Roethlisberger <daniel@roe.ch>
To:        Oliver Eikemeier <eikemeier@fillmore-labs.com>
Cc:        Jason Harris <jharris@widomaker.com>
Subject:   Re: ports/63546: ports/security/libprelude - fetch PGP signature
Message-ID:  <20040229232221.GA10646@dragon.roe.ch>
In-Reply-To: <40425855.4050006@fillmore-labs.com>
References:  <200402292021.i1TKLl7q016441@freefall.freebsd.org> <20040229211208.GA35429@pm1.ric-13.lft.widomaker.com> <40425855.4050006@fillmore-labs.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Oliver Eikemeier <eikemeier@fillmore-labs.com> [2004-02-29/22:23]:
> [...] but blindly downloading and verifying a PGP signature is
> actually *less* secure than the md5 checksum in distinfo, and worse,
> it gives a false sense of security.

I don't think anybody meant to replace the md5 checksum with blind PGP
key verifications (blind, as in without a valid certification chain).

But until there is some kind of generic PGP support in bsd.port.mk,
downloading the signatures into distfiles/ is extremely practical for
everybody who wants to *manually* verify PGP signatures on distfiles
against their keyring's web of trust.

The signature files don't actually occupy a significant amount of space,
and take no time to download, so I really see no reason why it should
not be done, unless there's ready to go more generic PGP support in the
ports system soon.

Just my EUR 0.02.

Cheers,
Dan

--=20
Daniel Roethlisberger <daniel@roe.ch>
GnuPG key ID 0x804A06B1 (DSA/ElGamal)

--nFreZHaLTZJo0R7j
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQFAQnQtOXQOmIBKBrERAmBMAJ9fl/0hVjml6czA5z1aybbWym127QCfavnO
UtfVo7O8AY6zTUlBIVesAo4=
=5cUj
-----END PGP SIGNATURE-----

--nFreZHaLTZJo0R7j--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040229232221.GA10646>