From owner-freebsd-ports@FreeBSD.ORG  Tue Dec 30 05:35:00 2003
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id AEB0116A4CE; Tue, 30 Dec 2003 05:35:00 -0800 (PST)
Received: from naughty.monkey.org (naughty.monkey.org [66.93.9.164])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4064843D45; Tue, 30 Dec 2003 05:34:59 -0800 (PST)
	(envelope-from jose@monkey.org)
Received: by naughty.monkey.org (Postfix, from userid 6)
	id 88EDB1BA90F; Tue, 30 Dec 2003 08:34:58 -0500 (EST)
Received: from localhost (localhost [127.0.0.1])
	by naughty.monkey.org (Postfix) with ESMTP
	id 86E2C1BA90D; Tue, 30 Dec 2003 08:34:58 -0500 (EST)
Date: Tue, 30 Dec 2003 08:34:58 -0500 (EST)
From: Jose Nazario <jose@monkey.org>
To: Sergei Kolobov <sergei@FreeBSD.org>
In-Reply-To: <20031229063439.GA794@chetwood.ru>
Message-ID: <Pine.BSO.4.58.0312300830150.1098@naughty.monkey.org>
References: <20031225134736.86816.qmail@kolobov.com>
	<20031228210730.GD7186@pm1.ric-22.lft.widomaker.com>
	<Pine.BSO.4.58.0312281644350.15545@naughty.monkey.org>
	<20031225134736.86816.qmail@kolobov.com>
	<20031228210730.GD7186@pm1.ric-22.lft.widomaker.com>
	<Pine.BSO.4.58.0312281644350.15545@naughty.monkey.org>
	<20031228210730.GD7186@pm1.ric-22.lft.widomaker.com>
	<20031229063439.GA794@chetwood.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: Jason Harris <jharris@widomaker.com>
cc: freebsd-ports@FreeBSD.org
Subject: Re: RFC: automatically verify GnuPG signatures
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2003 13:35:00 -0000

i'm still against this. here's a scenario that is all too common:

you download package foo-1.2 for building with the ports tree, it has a
sig. you dont have the key, so you import it. do you trust it? you're the
discriminating sort, so you look at the signatures and you see that Jose
Nazario signed it. hey, you know him, oh, he has a key.  so you say "ok".

without tying that key back to the large, strong set of signed keys, you
don't know for sure. about 1/3 of the packages i sampled last year don't
map back to the strong set, so you can't do realistic key lookups. i gave
some presentations on this and even have a paper in JOSU on this. this is
why i am against it, the technology doesn't solve the real underlying
problem.

i do suggest a change in your design, however. dont list two DISTFILE
entries and try and work out the logic about which is a signature. have
DISTFILE and DISTFILE_SIG, then you never had to question (and potentially
make mistakes). it's also very clear to everyone what the file is.

i hope all is well.

ps: i dont use pgp. if you ever see a key from me consider it invalid and
probably compromised.

___________________________
jose nazario, ph.d.			jose@monkey.org
					http://monkey.org/~jose/
					http://infosecdaily.net/