On Mon, Jan 29, 2007 at 07:52:42PM -0500, Jason Harris wrote: > On Mon, Jan 29, 2007 at 07:05:07PM +0000, Gabor Kovesdan wrote: > > gabor 2007-01-29 19:05:07 UTC > > > > FreeBSD ports repository > > > > Modified files: > > > Log: > > Remove USE_GPG from all effected ports. This knob is a no-op and the way > > it > > was supposed to work is useless, because if we can't trust the distfile > > from > > the remote machine, we can't trust the signature from the same machine > > either. > > Our MD5 and SHA256 are good for checking both the sanity and the > > trustiness of distfiles. > > > > Approved by: portmgr (erwin), erwin (mentor) > > Please revert this. > > And, more importantly, please respect MAINTAINERs' wishes to make > their ports more secure, by allowing the _automatic_ checking of > GPG signatures as a first line of defense, rather than less secure.
This "_automatic_ checking of GPG signatures" never worked and doesn't work since no code was put into bsd.port.mk IIRC we (portmgr) discussed the concerns about USE_GPG some years ago and declined this idea per se. -Kirill _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "[EMAIL PROTECTED]"
