On Mon, 28 Mar 2011, Julien Laffaye wrote: > On Mon, Mar 28, 2011 at 6:59 PM, Garrett Cooper <gcooper@freebsd.org> wrote: >> On Mon, Mar 28, 2011 at 10:44 AM, Andriy Gapon <avg@freebsd.org> wrote: >>> >>> II. Package signing. >> >> That would be really nice. > > Right know we only planned to sign the repo database, so we can trust > the sah256 of the packages stored in the database. Then if the package > has the same sha256 as the one in the repo database it is considered > trusted. > If we want a per-package signing, we would have a tarball in a tarball. I really expected this to have been mentioned already, but this approach (tarball in a tarball) is taken by Debian packages, and I don't remember hearing of any issues related to it. I don't think it's worth discounting from the start without giving some considerationg, but I will defer to the people actually doing the work. -Ben Kaduk _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org"