Update to the state of the pkgsrc
athaba at inode.at
Wed Sep 30 13:29:59 PDT 2009
Justin C. Sherrill wrote:
On Tue, September 29, 2009 2:56 am, Hasso Tepper wrote:
- Official (signed?) regular pbulk builds. The current situation really
isn't acceptable. I'd never use packages from random source updated
randomly (no security updates). Really.
This I don't know how to do, and a few seconds of googling don't explain.
Can you or someone point me at what having signed packages entails? MD5
sums for all binaries?
Maybe I'm not the best person to answer this, since I've never
actually done a bulk build. However, I have read a lot about it.
You already have the checksums after a bulk build. They are
SHA512 sums however (not MD5) and they are located in the
SHA512.bz2 file generated with the bulk build.
Since generating a signature (not a checksum/normal hash!) for
each package would take quiet a while only the SHA512-sums get
The difference between the hashes and the signature is that
hashes tell you "You can be sure the file hasn't been modified
after the hash was generated". The problem is you don't know who
actually created the packages and the hashes.
If you have a signature it tells you "This (hash)file was
created/signed with that key. If you can be sure the key is used
by someone you can trust the content of this file should be okay.".
The process is documented here:
About GnuPG/PGP: There are tons of howtos on this topic.
It only looks complicated on the first view.
I hope this is what you wanted to know :-)
More information about the Users