On Wed 2015-02-18 11:46:23 -0500, Doug Barton wrote: > On 2/18/15 2:52 AM, Jonathan Schleifer wrote: >> Well, I guess you have to take into account that a lot of downloads >> are from packaging software like pkgsrc, FreeBSD ports, Gentoo >> portage, ArchLinux's makepkg, etc. Usually, these do download the >> signature and tarball once, verify it and then write a checksum to >> the Makefile / PKGBUILD / however it is called that is then >> verified. So I guess you can't easily map that to "Only x% of users >> check the downloaded tarball". I guess it's a lot more, it's just not >> all check it using the .sig. > > Back when I was involved with the FreeBSD project I included code in the > Makefile to verify the PGP signature for all of my ports that had one, > as did a few other maintainers. However there was not only not a > consensus to do this more generally, there was active opposition to > doing it at all.
that's a bummer :( > If you are a FreeBSD user and believe that this would be something > beneficial to the ports system, please send them e-mail at > freebsd-po...@freebsd.org and let them know. :) In the Debian Project, we now have a simple framework for including upstream signing keys and automatically checking them when fetching new downloads: https://wiki.debian.org/debian/watch#Cryptographic_signature_verification If you see a debian package that could make use of this but isn't currently configured to do so, please file a bug report in the debian BTS (or drop me an e-mail). If it would help with arguing the case within FreeBSD to see how debian does it, i'm happy to talk with any FreeBSDers about it too. Regards, --dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
