Date: Mon, 1 Mar 2004 00:22:22 +0100 From: Daniel Roethlisberger <daniel@roe.ch> To: Oliver Eikemeier <eikemeier@fillmore-labs.com> Cc: Jason Harris <jharris@widomaker.com> Subject: Re: ports/63546: ports/security/libprelude - fetch PGP signature Message-ID: <20040229232221.GA10646@dragon.roe.ch> In-Reply-To: <40425855.4050006@fillmore-labs.com> References: <200402292021.i1TKLl7q016441@freefall.freebsd.org> <20040229211208.GA35429@pm1.ric-13.lft.widomaker.com> <40425855.4050006@fillmore-labs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Oliver Eikemeier <eikemeier@fillmore-labs.com> [2004-02-29/22:23]: > [...] but blindly downloading and verifying a PGP signature is > actually *less* secure than the md5 checksum in distinfo, and worse, > it gives a false sense of security. I don't think anybody meant to replace the md5 checksum with blind PGP key verifications (blind, as in without a valid certification chain). But until there is some kind of generic PGP support in bsd.port.mk, downloading the signatures into distfiles/ is extremely practical for everybody who wants to *manually* verify PGP signatures on distfiles against their keyring's web of trust. The signature files don't actually occupy a significant amount of space, and take no time to download, so I really see no reason why it should not be done, unless there's ready to go more generic PGP support in the ports system soon. Just my EUR 0.02. Cheers, Dan --=20 Daniel Roethlisberger <daniel@roe.ch> GnuPG key ID 0x804A06B1 (DSA/ElGamal) --nFreZHaLTZJo0R7j Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQFAQnQtOXQOmIBKBrERAmBMAJ9fl/0hVjml6czA5z1aybbWym127QCfavnO UtfVo7O8AY6zTUlBIVesAo4= =5cUj -----END PGP SIGNATURE----- --nFreZHaLTZJo0R7j--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040229232221.GA10646>