On Mar 8, 2011, at 11:53 AM, Jeff Johnson wrote: >> A fine idea. You can revisit this when MacPorts decides to make upstream >> maintainers start signing their distfiles. ;-) > > Planned or snarky comment? Its not a bad idea (even if it would take years > ...)
Mostly snarky comment. Apple currently signs all of its packages and does validation of same, but it requires some fairly centralized machinery to really make this work (at the minimum, MacPorts would need to have a certificate rooted from some trusted authority with which to sign and/or validate the distfiles). Apple, by contrast, is a CA and can do all the CA/sub-CA management itself. This also assumes that MacPorts has a single location for all the distfiles rather than the distributed collection of distfiles it enjoys today, since there's simply no way to get upstream maintainers to sign their own tarballs. For this and other reasons, I think the idea is mostly a non-starter. - Jordan _______________________________________________ macports-dev mailing list [email protected] http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
