security projects thoughts
Arno Hautala
arno at alum.wpi.edu
Mon Apr 18 06:40:58 PDT 2011
On Mon, Apr 18, 2011 at 06:12, Bayard Bell
<buffer.g.overflow at googlemail.com> wrote:
>
> I've read back on the threads from March about binary packaging and
> appreciate better what constraints were accepted to simplify deployment. The
> signed Macports releases in distfiles that Anders pointed me to is signed
> with GPG. Given that we're talking about developer tools rather than
> packaging, is it reasonable to add this to the base requirements for
> macports? Are people fine with the idea of using PGP with macports and
> openssl with the packaging system?
I'm all for more GPG adoption, but it might be a good idea to be
consistent and stick with OpenSSL.
> If you go the GPG route for macports, do you want individual developers
> signing things with their own keys, or do you want to have a common
> key, as do the major RPM and apt distros?
A common key either means every developer gets a copy. But, do you
really want to issue a new key everytime a developer leaves or
accidentally leaks the key?
Or packages are signed by a central entity. This either puts a lot of
pressure on a single developer or means robo-signing with a
passphrase-less key or storing the passphrase on the server.
None of those are all that attractive. Each developer having their own
key, that has been signed by a MacPorts "master" key or cert
authority, distributes the work load, is easily scalable, and easily
revokable as needed. You can do this with OpenSSL or GPG.
--
arno s hautala /-| arno at alum.wpi.edu
pgp b2c9d448
More information about the macports-dev
mailing list