What's the "right" way to update a port to

Sun Aug 28 10:33:06 PDT 2016

On 28 Aug, 2016, at 13:16EDT, Rainer Müller <raimue at macports.org> wrote:
> No, verification of PGP signatures is not provided by base. gpg is not
> available on an standard OS X install. Adding that as a requirement just
> to verify the distfile would be quite heavy.

Oh, absolutely! I wasn’t suggesting making it a requirement, that’s why I wrote:

> On 2016-08-28 18:46, Gabriel Rosenkoetter wrote:
>> 
>> (... but if there’s some standardized “make sure some sort of PGP exists locally and just warn, rather than fail, if it doesn't” code, ...

I’m pretty certain I’ve seen exactly this “Hey, I can’t check this signature because you don’t have a PGP; you might want that, but I’m going ahead anyway” message in several tools similar to MacPorts before… CPAN, maybe? I think it was also part of pkgrsrc back when I was using NetBSD regularly.

But I guess what you’re saying is, “no, there isn’t a standard way to do this”.

> I would recommend maintainers to verify the signature locally and then
> generate checksums for inclusion in the Portfile.

Huh. I see how that works, but as a user, I guess I’d prefer to do my own signature verification at build time, otherwise I’m only trusting the port maintainer.

Thinking about this more, though, unless one forces the retrieval of the signature to come from the original distribution site, that’s still true, so doing this Right is certainly complicated.

If there’s really no appetite for this, no big deal, I was just asking. :^>

--
Gabriel Rosenkoetter
gr at eclipsed.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.macosforge.org/pipermail/macports-users/attachments/20160828/958b5198/attachment.sig>