buildbot questions

Joshua Root jmr at macports.org
Tue Aug 2 09:21:38 PDT 2011


On 2011-8-3 02:14 , Marko Käning wrote:
>> What about it? Are you seeing packages that are not signed?
> Oh, they are? I thought it's only the various checksums in the portfiles which make sure that the source is clean.
> So, you say, the Portfiles themselves are being signed on your end and every users port command verifies portfile trustworthy by MacPorts-specific signatures?
> 
> Sorry, if I keep asking silly questions. ;-)

Nothing is verified to be trustworthy. If you use the signed tarball
over rsync or svn over https to sync, you get a high probability that
the ports tree came from the macosforge servers. The detached signatures
alongside the archives do the same for them.

- Josh


More information about the macports-dev mailing list