Date: Sun, 29 Feb 2004 22:23:33 +0100 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: Jason Harris <jharris@widomaker.com> Cc: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/63546: ports/security/libprelude - fetch PGP signature Message-ID: <40425855.4050006@fillmore-labs.com> In-Reply-To: <20040229211208.GA35429@pm1.ric-13.lft.widomaker.com> References: <200402292021.i1TKLl7q016441@freefall.freebsd.org> <20040229211208.GA35429@pm1.ric-13.lft.widomaker.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jason Harris wrote: > On Sun, Feb 29, 2004 at 12:21:47PM -0800, Oliver Eikemeier wrote: > >>Synopsis: ports/security/libprelude - fetch PGP signature >> >>State-Changed-From-To: open->closed >>State-Changed-By: eik >>State-Changed-When: Sun Feb 29 21:13:54 CET 2004 >>State-Changed-Why: > >>- this should be more semi-automatic, like HAS_PGPSIGNATURE and `make pgpcheck' >>- this interferes with PR 60558, since you can't simply add USE_GPG/PGP to the Makefile, >> you'll have to correct DISTFILES for that. > >>http://www.freebsd.org/cgi/query-pr.cgi?pr=63546 > > Please review ports/sysutils/coreutils and the many other > ports which currently set USE_GPG?= yes. These are 8 ports: - audio/gnump3d - devel/cvsd - ftp/lftp - misc/less - net/tcping - sysutils/coreutils - www/elinks - www/lynx Unfortunate, but I guess we can fix this. I hope I made my point without offending you, but blindly downloading and verifying a PGP signature is actually *less* secure than the md5 checksum in distinfo, and worse, it gives a false sense of security. Regards Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40425855.4050006>