From owner-freebsd-ports Tue Feb 6 2:14:36 2001 Delivered-To: freebsd-ports@freebsd.org Received: from jamus.xpert.com (helpful.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 62C5D37B491; Tue, 6 Feb 2001 02:14:15 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14Q58H-0002WI-00; Tue, 06 Feb 2001 12:13:57 +0200 Date: Tue, 6 Feb 2001 12:13:57 +0200 (IST) From: Roman Shterenzon To: Wes Peters Cc: Markus Holmberg , , Subject: Re: Package integrity check? In-Reply-To: <3A7F9AB6.5CAA983B@softweyr.com> Message-ID: Organization: Xpert UNIX Systems Ltd. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 5 Feb 2001, Wes Peters wrote: > Markus Holmberg wrote: > > > > Hello. > > > > Is there any way to perform an integrity check on packages that are fetched > > with "pkg_add -r "? > > > > (Similarly to building a package manually with a trusted /usr/ports and > > checksumming downloaded files) > > > > I assume there is no way to do integrity checking on packages, which > > leads me to the question if the general opinion among the security > > conscious is that packages (from untrusted parties, like any ftp site on > > the mirror list) should not be used at all? > > I have package signing tools, integrated into the pkg_ commands, sitting > on Freefall waiting to be committed. They let you sign a package with > an MD5 checksum (this mechanism is a little weird, inherited from the > OpenBSD code), a PGP signature (this code is also inherited from OpenBSD, > uses PGP 2.xx command line tools, and kinda sucks in my opinion) and Hmm.. GnuPG flags suppport would be nice. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message