Subject: Re: adding gpg to src/gnu/dist
To: NetBSD Security Technical Discussion List <tech-security@NetBSD.ORG>
From: Greg A. Woods <woods@weird.com>
List: tech-userlevel
Date: 05/14/2004 22:32:39
[ On Friday, May 14, 2004 at 17:01:57 (-0700), Jon Buller wrote: ]
> Subject: Re: adding gpg to src/gnu/dist 
>
> Unless I have (for the sake of a really sick example) a windows
> box with internet connectivity, and want to pull packages onto that
> box, verify them, and move them off (by sneakernet) to the "N"
> boxes where they are actually getting installed.
> 
> Is anyone ever going to want to do something that lame?

How about the way-less lame scenario of wanting to verify the signatures
of package files sitting on some arbitrary FTP server?

I.e. what's most important is that it be possible to verify the package
archive without any of the pkg_install tools and without unpacking the
archive.

That can be done of course with both OpenSSL and PGP.  I think though
that PGP/GPG is a lot easier to use in this scenario where a stand-alone
NetBSD-CA is being considered since PGP keys can be fetched (and I think
much more easily validated and verified) from any internet-connected
host than a stand-alone certificate authority can be (unless the
NetBSD-CA cert were to somehow be included in the widely distributed
root-cert bundles).  (assuming both openssl and PGP or GPG are already
installed and working on that host)

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>