Re: Update to the state of the pkgsrc

[Christian Sturm <athaba@xxxxxxxx>]

Justin C. Sherrill wrote:
> On Tue, September 29, 2009 2:56 am, Hasso Tepper wrote:
>
> > - Official (signed?) regular pbulk builds. The current situation really
> >   isn't acceptable. I'd never use packages from random source updated
> >   randomly (no security updates). Really.
>
> This I don't know how to do, and a few seconds of googling don't explain. 
> Can you or someone point me at what having signed packages entails?  MD5
> sums for all binaries?

Maybe I'm not the best person to answer this, since I've never 
actually done a bulk build. However, I have read a lot about it.

You already have the checksums after a bulk build. They are 
SHA512 sums however (not MD5) and they are located in the 
SHA512.bz2 file generated with the bulk build.

Since  generating a signature (not a checksum/normal hash!) for 
each package would take quiet a while only the SHA512-sums get 
signed IIRC.

The difference between the hashes and the signature is that 
hashes tell you "You can be sure the file hasn't been modified 
after the hash was generated". The problem is you don't know who 
actually created the packages and the hashes.

If you have a signature it tells you "This (hash)file was 
created/signed with that key. If you can be sure the key is used 
by someone you can trust the content of this file should be okay.".

The process is documented here: 
http://www.netbsd.org/docs/pkgsrc/bulk.html#bulk-upload

About GnuPG/PGP: There are tons of howtos on this topic.
It only looks complicated on the first view.

I hope this is what you wanted to know :-)

Greetings,
Christian