On Mar 8, 2011, at 6:33 PM, Jordan K. Hubbard wrote: > > On Mar 8, 2011, at 11:53 AM, Jeff Johnson wrote: > >>> A fine idea. You can revisit this when MacPorts decides to make upstream >>> maintainers start signing their distfiles. ;-) >> >> Planned or snarky comment? Its not a bad idea (even if it would take years >> ...) > > Mostly snarky comment. Apple currently signs all of its packages and does > validation of same, but it requires some fairly centralized machinery to > really make this work (at the minimum, MacPorts would need to have a > certificate rooted from some trusted authority with which to sign and/or > validate the distfiles). Apple, by contrast, is a CA and can do all the > CA/sub-CA management itself. > > This also assumes that MacPorts has a single location for all the distfiles > rather than the distributed collection of distfiles it enjoys today, since > there's simply no way to get upstream maintainers to sign their own tarballs. > For this and other reasons, I think the idea is mostly a non-starter. >
I'd mostly agree non-starter. PKI and crypto is just ... well ... a non-starter. And if MacPorts does _NOT_ have a "mirror of last resort" well, that's a different and perhaps more serious problem than whether the crap is digitally signed. Given a "mirror of last resort", it would not be hard to inject signatures onto "upstream" without much effort. Apologies for "snarky" too. You do have a certain vision and mannerism that is remarkable. 73 de Jeff _______________________________________________ macports-dev mailing list [email protected] http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
