Date: Tue, 30 Jan 2007 10:44:12 +0100 From: Kirill Ponomarew <krion@voodoo.bawue.com> To: Jason Harris <jharris@widomaker.com> Cc: secteam@FreeBSD.org, cvs-ports@FreeBSD.org, Gabor Kovesdan <gabor@FreeBSD.org>, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/audio/gnump3d Makefile distinfo ports/devel/bglibs Makefile ports/devel/cppi Makefile ports/devel/cvsd Makefile ports/dns/walker Makefile distinfo ports/ftp/lftp Makefile distinfo ports/ftp/twoftpd Makefile ... Message-ID: <20070130094412.GF56322@voodoo.bawue.com> In-Reply-To: <20070130005242.GA1059@wilma.widomaker.com> References: <200701291905.l0TJ57fG093002__13365.9557941884$1170098220$gmane$org@repoman.freebsd.org> <20070130005242.GA1059@wilma.widomaker.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 29, 2007 at 07:52:42PM -0500, Jason Harris wrote: > On Mon, Jan 29, 2007 at 07:05:07PM +0000, Gabor Kovesdan wrote: > > gabor 2007-01-29 19:05:07 UTC > > > > FreeBSD ports repository > > > > Modified files: > > > Log: > > Remove USE_GPG from all effected ports. This knob is a no-op and the way it > > was supposed to work is useless, because if we can't trust the distfile from > > the remote machine, we can't trust the signature from the same machine either. > > Our MD5 and SHA256 are good for checking both the sanity and the > > trustiness of distfiles. > > > > Approved by: portmgr (erwin), erwin (mentor) > > Please revert this. > > And, more importantly, please respect MAINTAINERs' wishes to make > their ports more secure, by allowing the _automatic_ checking of > GPG signatures as a first line of defense, rather than less secure. This "_automatic_ checking of GPG signatures" never worked and doesn't work since no code was put into bsd.port.mk IIRC we (portmgr) discussed the concerns about USE_GPG some years ago and declined this idea per se. -Kirill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070130094412.GF56322>