archive_sites in Portfiles

Joshua Root jmr at
Fri Jan 7 21:44:09 PST 2011

On 2011-1-8 16:02 , Jeremy Lavergne wrote:
>> As another problem, if we use keys for each maintainer, how do we make sure none of the private keys will ever be compromised (carrying around on mobile devices, tiresome typing of a passphrase, etc.)? I might be a little bit paranoid on this, but we have to consider the weakest link here.
> We already trust the port maintainers to not submit trojans in their ports.

It's practical to review portfiles; it's not practical to disassemble
and review binaries. I'm already uncomfortable with third party mirrors
of the ports tree, FTR.

>> It's not about the distribution on an external server, but in which way the archive was created.
> Why can't maintainers offer their archives alongside the ones from MacPorts' MPAB?

They can. They just can't have them officially endorsed.

- Josh

More information about the macports-dev mailing list