security projects thoughts
Rainer Müller
raimue at macports.org
Tue Apr 19 06:12:31 PDT 2011
On 04/18/2011 04:04 PM, Jeff Johnson wrote:
>
> On Apr 18, 2011, at 9:40 AM, Arno Hautala wrote:
>
>> On Mon, Apr 18, 2011 at 06:12, Bayard Bell
>> <buffer.g.overflow at googlemail.com> wrote:
>>>
>>> I've read back on the threads from March about binary packaging and
>>> appreciate better what constraints were accepted to simplify deployment. The
>>> signed Macports releases in distfiles that Anders pointed me to is signed
>>> with GPG. Given that we're talking about developer tools rather than
>>> packaging, is it reasonable to add this to the base requirements for
>>> macports? Are people fine with the idea of using PGP with macports and
>>> openssl with the packaging system?
>>
>> I'm all for more GPG adoption, but it might be a good idea to be
>> consistent and stick with OpenSSL.
>>
>
> These are opinions only, without any supplied reason to prefer OpenPGP
> over OpenSSL. DOes DSA from OpenSSL taste better to you somehow than
> OpenPGP? Perhaps the random big numbers are "fresher" if wrapped in
> OpenSSL than OpenPGP?
OpenSSL with .pem wasn't choosen for technical but pragmatical reasons.
Mac OS X does not ship with any PGP implementation while OpenSSL is part
of the base install.
Releases have been signed by our own GPG keys but without any master key
to verify the signing key. All we did prove there was that a developer
signed this binary and other people had signed his key to prove the
developer exists as a human being ;-)
Rainer
More information about the macports-dev
mailing list