Re: [ECFT] pkgng 0.1-alpha1: a replacement for pkg_install

From: Baptiste Daroussin <bapt_at_freebsd.org>
Date: Tue, 29 Mar 2011 05:50:41 +0000
2011/3/29 Tim Kientzle <kientzle_at_freebsd.org>:
>>>>> II. Package signing.
>>>>
>>>> That would be really nice.
>>>
>>> Right know we only planned to sign the repo database, so we can trust
>>> the sah256 of the packages stored in the database. Then if the package
>>> has the same sha256 as the one in the repo database it is considered
>>> trusted.
>>> If we want a per-package signing, we would have a tarball in a tarball.
>>
>> I really expected this to have been mentioned already, but this approach (tarball in a tarball) is taken by Debian packages, and I don't remember hearing of any issues related to it.  I don't think it's worth discounting from the start without giving some considerationg, but I will defer to the people actually doing the work.
>
> If you use libarchive-style streaming, it's even
> pretty straightforward to read and extract such
> things without having to create a bunch of
> temporary files.
>
> You just need to be careful about compression.
>
> Tim
>
>

ok but what is the problem with signing only the repository then rely on digest?

I am not sure we need more that this.

second question howto sign? pgp? ssl?

First would be the easiest way to go but we don't have in base
anything to check signatures (maybe we should in that case
investigating to import netpgp), ssl why not? but which algorithm?
what security officer would prefer?

We are ok to investigate that part, but we need more information about
what is expected.

regards,
Bapt
Received on Tue Mar 29 2011 - 03:51:02 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:12 UTC