Date: Sun, 22 Jun 2003 04:52:19 +0100 From: Colin Percival <colin.percival@wadham.ox.ac.uk> To: David Schultz <das@FreeBSD.org> Cc: chat@FreeBSD.org Subject: Re: Cryptographically enabled ports tree. Message-ID: <5.0.2.1.1.20030622044124.02cc0948@popserver.sfu.ca> In-Reply-To: <20030622033625.GA60460@HAL9000.homeunix.com> References: <5.0.2.1.1.20030622022111.02c1cdf8@popserver.sfu.ca> <5.0.2.1.1.20030621193449.02c91ce8@popserver.sfu.ca> <5.0.2.1.1.20030621175853.02c92e00@popserver.sfu.ca> <20030621163835.GA18653@tulip.epweb.co.za> <5.0.2.1.1.20030621175853.02c92e00@popserver.sfu.ca> <5.0.2.1.1.20030621193449.02c91ce8@popserver.sfu.ca> <5.0.2.1.1.20030622022111.02c1cdf8@popserver.sfu.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
At 20:36 21/06/2003 -0700, David Schultz wrote: >On Sun, Jun 22, 2003, Colin Percival wrote: > > What we need is something integrated into the CVS system which rebuilds > > the necessary signatures every time the ports tree is modified, and > commits > > those into the CVS tree. Any CVS experts around who could say how to do > > this? > >You don't even have to do that. The tree just needs to be signed >once for every release. If that's all you want, download the release ISO image; you can verify its MD5 hash against the signed announcement, mount the ISO, and install the ports tree. >I don't >see why people need to update their ports tree more often than >once a release. Well, there are these ugly things called security bugs. >Granted, anyone who wanted to offer a (less secure) daily port >tree signing service or something, they could easily do so with >access to cvsup-master. True, but that wouldn't be transparent. People would have to tell cvsup to fetch a particular snapshot of the ports tree, to match the most recent signature; much better if they can cvsup as per normal, get the latest versions of everything, and have the signature come along automatically. > (It used to be you could talk to jdp@ for >this; I'm not sure who is responsible now.) cvsup-master is now owned by kuriyama@. > Actually, I'm not >sure whether cvsup's authentication is one-way or two-way, though. Two-way. Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.1.20030622044124.02cc0948>