From owner-freebsd-ports@FreeBSD.ORG Tue Dec 30 05:35:00 2003 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEB0116A4CE; Tue, 30 Dec 2003 05:35:00 -0800 (PST) Received: from naughty.monkey.org (naughty.monkey.org [66.93.9.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4064843D45; Tue, 30 Dec 2003 05:34:59 -0800 (PST) (envelope-from jose@monkey.org) Received: by naughty.monkey.org (Postfix, from userid 6) id 88EDB1BA90F; Tue, 30 Dec 2003 08:34:58 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by naughty.monkey.org (Postfix) with ESMTP id 86E2C1BA90D; Tue, 30 Dec 2003 08:34:58 -0500 (EST) Date: Tue, 30 Dec 2003 08:34:58 -0500 (EST) From: Jose Nazario To: Sergei Kolobov In-Reply-To: <20031229063439.GA794@chetwood.ru> Message-ID: References: <20031225134736.86816.qmail@kolobov.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <20031225134736.86816.qmail@kolobov.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <20031229063439.GA794@chetwood.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Jason Harris cc: freebsd-ports@FreeBSD.org Subject: Re: RFC: automatically verify GnuPG signatures X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2003 13:35:00 -0000 i'm still against this. here's a scenario that is all too common: you download package foo-1.2 for building with the ports tree, it has a sig. you dont have the key, so you import it. do you trust it? you're the discriminating sort, so you look at the signatures and you see that Jose Nazario signed it. hey, you know him, oh, he has a key. so you say "ok". without tying that key back to the large, strong set of signed keys, you don't know for sure. about 1/3 of the packages i sampled last year don't map back to the strong set, so you can't do realistic key lookups. i gave some presentations on this and even have a paper in JOSU on this. this is why i am against it, the technology doesn't solve the real underlying problem. i do suggest a change in your design, however. dont list two DISTFILE entries and try and work out the logic about which is a signature. have DISTFILE and DISTFILE_SIG, then you never had to question (and potentially make mistakes). it's also very clear to everyone what the file is. i hope all is well. ps: i dont use pgp. if you ever see a key from me consider it invalid and probably compromised. ___________________________ jose nazario, ph.d. jose@monkey.org http://monkey.org/~jose/ http://infosecdaily.net/