>>>> II. Package signing. >>>=20 >>> That would be really nice. >>=20 >> Right know we only planned to sign the repo database, so we can trust >> the sah256 of the packages stored in the database. Then if the = package >> has the same sha256 as the one in the repo database it is considered >> trusted. >> If we want a per-package signing, we would have a tarball in a = tarball. >=20 > I really expected this to have been mentioned already, but this = approach (tarball in a tarball) is taken by Debian packages, and I don't = remember hearing of any issues related to it. I don't think it's worth = discounting from the start without giving some considerationg, but I = will defer to the people actually doing the work. If you use libarchive-style streaming, it's even pretty straightforward to read and extract such things without having to create a bunch of temporary files. You just need to be careful about compression. Tim _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org"