On 2016-03-23 06:38, Erich Eckner wrote:
On 21.03.2016 21:36, Dutch Ingraham wrote:
On Mon, Mar 21, 2016 at 08:31:00AM +0100, Thomas Penteker wrote:
To fill the missing link to providing integrity and confidentiality, we should start cryptographically signing ports on the maintainer's side and check these signatures before building/downloading anything.
regards, Thomas
Yes, please.[1]
[1] blog.linuxmint.com/?paged=2
Hi,
I think, we should definitely allow for signing and verification. However: what's a useful approach for checking Pkgfiles? It's not pkgmk's job, because we want to be able to edit the file. So I think, "ports -u" should check the signature of Pkgfile and pkgmk the ones of the sources?
On the other hand: I just noticed, that '--no-check-certificate' is passed as an argument to wget. Why isn't assumed, that a proper certificate is installed? Can this be configured somewhere?
cheers, Erich _______________________________________________ CRUX mailing list CRUX@lists.crux.nu https://lists.crux.nu/mailman/listinfo/crux
I would like to recommend the signify tool: http://www.openbsd.org/papers/bsdcan-signify.html It's very high quality and simple. Could be useful for building this package signing system.