Filesize in Portfiles (was Re:  trunk/dports/sysutils/rpm/Portfile)
n3npq at mac.com
Tue Mar 8 18:30:40 PST 2011
On Mar 8, 2011, at 6:33 PM, Jordan K. Hubbard wrote:
> On Mar 8, 2011, at 11:53 AM, Jeff Johnson wrote:
>>> A fine idea. You can revisit this when MacPorts decides to make upstream maintainers start signing their distfiles. ;-)
>> Planned or snarky comment? Its not a bad idea (even if it would take years ...)
> Mostly snarky comment. Apple currently signs all of its packages and does validation of same, but it requires some fairly centralized machinery to really make this work (at the minimum, MacPorts would need to have a certificate rooted from some trusted authority with which to sign and/or validate the distfiles). Apple, by contrast, is a CA and can do all the CA/sub-CA management itself.
> This also assumes that MacPorts has a single location for all the distfiles rather than the distributed collection of distfiles it enjoys today, since there's simply no way to get upstream maintainers to sign their own tarballs. For this and other reasons, I think the idea is mostly a non-starter.
I'd mostly agree non-starter. PKI and crypto is just ... well ... a non-starter.
And if MacPorts does _NOT_ have a "mirror of last resort" well, that's a different
and perhaps more serious problem than whether the crap is digitally signed. Given
a "mirror of last resort", it would not be hard to inject signatures onto "upstream"
without much effort.
Apologies for "snarky" too. You do have a certain vision and mannerism that is remarkable.
73 de Jeff
More information about the macports-dev