On Mon, 28 Mar 2011, Julien Laffaye wrote:
On Mon, Mar 28, 2011 at 6:59 PM, Garrett Cooper <gcoo...@freebsd.org> wrote:
On Mon, Mar 28, 2011 at 10:44 AM, Andriy Gapon <a...@freebsd.org> wrote:
II. Package signing.
That would be really nice.
Right know we only planned to sign the repo database, so we can trust
the sah256 of the packages stored in the database. Then if the package
has the same sha256 as the one in the repo database it is considered
trusted.
If we want a per-package signing, we would have a tarball in a tarball.
I really expected this to have been mentioned already, but this approach
(tarball in a tarball) is taken by Debian packages, and I don't remember
hearing of any issues related to it. I don't think it's worth discounting
from the start without giving some considerationg, but I will defer to the
people actually doing the work.
-Ben Kaduk
_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
