Re: pkg-vulnerabilities

To: "Steven M. Bellovin" <smb%cs.columbia.edu@localhost>
Subject: Re: pkg-vulnerabilities
From: Geert Hendrickx <ghen%NetBSD.org@localhost>
Date: Wed, 4 Oct 2006 09:20:54 +0200

On Tue, Oct 03, 2006 at 04:41:22PM -0400, Steven M. Bellovin wrote:
> Compressed storage on the local machine is probably a bad idea, since it
> would need to be decompressed several times for each package built.  And
> it's probably pointless -- look at how big pkgsrc is, and ask if 200KB
> makes that much difference.

It's not about storage, but about the download itself.  I think providing a
bzip2'ed version would be a good idea.

Btw, you can rsync pkg-vulnerabilities...

> A digital signature would be a good idea -- verify it at download time.
> Using TLS would put a lot more load on ftp.netbsd.org, and wouldn't help
> at all if you were using a mirror.

Agreed; the file should be signed/secured, not the connection.

        Geert

Follow-Ups:
- Re: pkg-vulnerabilities
  - From: Christian Biere
- Re: pkg-vulnerabilities
  - From: Jukka Salmi

References:
- pkg-vulnerabilities
  - From: Christian Biere
- Re: pkg-vulnerabilities
  - From: Steven M. Bellovin

Prev by Date: Re: cross compile...
Next by Date: Re: pkg-vulnerabilities
Previous by Thread: Re: pkg-vulnerabilities
Next by Thread: Re: pkg-vulnerabilities
Indexes:

Home | Main Index | Thread Index | Old Index