Subject: Re: pkg-vulnerabilities
To: Christian Biere <christianbiere@gmx.de>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: pkgsrc-users
Date: 10/03/2006 16:41:22
On Tue, 3 Oct 2006 20:52:51 +0200, Christian Biere <christianbiere@gmx.de>
wrote:
> Hi,
>
> I wonder why isn't pkg-vulnerabilities compressed?
> The file is already over 200 kB large and compresses
> quite well to about 10% of its size.
Compressed storage on the local machine is probably a bad idea, since it
would need to be decompressed several times for each package built. And
it's probably pointless -- look at how big pkgsrc is, and ask if 200KB
makes that much difference.
> Further, why
> isn't it signed or at least transferred over TLS?
> Using Subversion instead or as alternative would be
> good idea as well, IMHO.
A digital signature would be a good idea -- verify it at download time.
Using TLS would put a lot more load on ftp.netbsd.org, and wouldn't help
at all if you were using a mirror.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb