Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: None <tech-security@netbsd.org, tech-pkg@netbsd.org>
From: John Kohl <jtk@kolvir.arlington.ma.us>
List: tech-security
Date: 07/25/2005 20:20:23
>>>>> "Todd" == Todd Vierling <tv@duh.org> writes:

Todd> On Mon, 25 Jul 2005, Curt Sampson wrote:
>> It's a PITA for users. Do we really want to stick users with the baggage
>> of having to deal with two files, and the attendant risk of mismatching
>> the two or losing one, if we gain no security benefit from it?

Todd> I would much rather see an embedded signature.  This is e.g. how signed Java
Todd> archives work.

Todd> I'm aware that the detached compression of individual files in the Zip
Todd> format used by JARs makes it easier to do verification before files are
Todd> extracted.  Even in that case, though, ahead-of-time verification still
Todd> requires decompressing all the data, as would be required by a stream-based
Todd> compression like gzip.

I've always disliked using compressed tar format for packages anyway--it
makes it inefficient to examine or extract components without reading
the whole thing.  Last I looked at the package code (5+ years ago),
unpacking and installing could take nearly 3x space (one for compressed
tarball, one for unpacked copy, one for target install area if on a
separate mounted file system).  If we're talking about serious rework of
packaging for signing, how about switching to a zip or similar archive
format with random access to members?

-- 
==John Kohl <jtk@kolvir.arlington.ma.us>, <john_kohl@alum.mit.edu>
Home page: <http://home.comcast.net/~john.kohl/>