On Wed, Mar 23, 2016 at 07:38:37AM +0100, Erich Eckner wrote:
On 21.03.2016 21:36, Dutch Ingraham wrote:
On Mon, Mar 21, 2016 at 08:31:00AM +0100, Thomas Penteker wrote:
To fill the missing link to providing integrity and confidentiality, we should start cryptographically signing ports on the maintainer's side and check these signatures before building/downloading anything.
I think, we should definitely allow for signing and verification. However: what's a useful approach for checking Pkgfiles? It's not pkgmk's job, because we want to be able to edit the file. So I think, "ports -u" should check the signature of Pkgfile and pkgmk the ones of the sources?
The current idea is to have git commits signed. This would sign the sha256 checksum and a "trusted" chain is established. we will obviously lose this when syncing ports with rsync since only files are synced. This needs to be solved.
On the other hand: I just noticed, that '--no-check-certificate' is passed as an argument to wget. Why isn't assumed, that a proper certificate is installed? Can this be configured somewhere?
Iirc thats not a default setting. It can be changed in /etc/pkgmk.conf: PKGMK_WGET_OPTS="" -- Fredrik Rinnestam