DragonFly BSD
DragonFly users List (threaded) for 2009-09
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Update to the state of the pkgsrc

From: Christian Sturm <athaba@xxxxxxxx>
Date: Wed, 30 Sep 2009 22:29:59 +0200

Justin C. Sherrill wrote:
On Tue, September 29, 2009 2:56 am, Hasso Tepper wrote:

- Official (signed?) regular pbulk builds. The current situation really
  isn't acceptable. I'd never use packages from random source updated
  randomly (no security updates). Really.

This I don't know how to do, and a few seconds of googling don't explain. Can you or someone point me at what having signed packages entails? MD5
sums for all binaries?

Maybe I'm not the best person to answer this, since I've never actually done a bulk build. However, I have read a lot about it.

You already have the checksums after a bulk build. They are SHA512 sums however (not MD5) and they are located in the SHA512.bz2 file generated with the bulk build.

Since generating a signature (not a checksum/normal hash!) for each package would take quiet a while only the SHA512-sums get signed IIRC.

The difference between the hashes and the signature is that hashes tell you "You can be sure the file hasn't been modified after the hash was generated". The problem is you don't know who actually created the packages and the hashes.

If you have a signature it tells you "This (hash)file was created/signed with that key. If you can be sure the key is used by someone you can trust the content of this file should be okay.".

The process is documented here: http://www.netbsd.org/docs/pkgsrc/bulk.html#bulk-upload

About GnuPG/PGP: There are tons of howtos on this topic.
It only looks complicated on the first view.

I hope this is what you wanted to know :-)


[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]