Date: Tue, 02 Jan 2001 10:19:11 -0700 From: Wes Peters <wes@softweyr.com> To: Guido van Rooij <guido@gvr.org> Cc: Kris Kennaway <kris@FreeBSD.ORG>, Mario Sergio Fujikawa Ferreira <lioux@uol.com.br>, "Michael C . Wu" <keichii@peorth.iteration.net>, ports@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: Package signing tools Message-ID: <3A520D8F.88498372@softweyr.com> References: <3A4ED1C0.14061CE5@softweyr.com> <20001231003920.A24519@peorth.iteration.net> <3A4EDCA9.5CEA7114@softweyr.com> <20010101083459.B12422@citusc.usc.edu> <20010101143803.A3416@Fedaykin.here> <3A50C6A8.3E02FAE@softweyr.com> <20010101161001.B3416@Fedaykin.here> <3A50D2B7.5AD86D9E@softweyr.com> <20010102050351.C18277@citusc.usc.edu> <20010102163349.A18885@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Guido van Rooij wrote: > > On Tue, Jan 02, 2001 at 05:03:51AM -0800, Kris Kennaway wrote: > > > > We need to think about how this is going to be used by the project, > > too. Packages are built automatically, so they'd need to be signed > > automatically. That puts the signing machine(s) in a (more) dangerous > > Not necessarily. Though if done after the building phase, there is > a race that someone breaks into the machine and changes packages > before they are signed. But such a race alwaysn exists.. > > But then again...what exactly does the signing do. IMO signing means > that the package originated from the FreeBSD project and was not altered > after release. ^^^^^^^^ signing. And that's all it means. What you got is what they sent. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A520D8F.88498372>