On 21/10/2007, David E. Thiel <[EMAIL PROTECTED]> wrote: > > The lowest-impact way to fix this, I think, is to use SSL for pkg_adds. > There are a couple of things that would need to change to make this > happen.
You can't (easily) cache data over SSL. Well, you can't use a HTTP proxy that doesn't break the SSL conversation and cache the updates. As someone who occasionally makes sure that distribution updates through a Squid proxy actually caches said updates, I'd really prefer you didn't stick package contents behind SSL. > Now, we could take another approach of PGP-signing packages instead, but > all the efforts I've seen to integrate PGP with the package management > system in the past haven't gone anywhere. The changes above seem to be > a bit more trivial than inventing a package-signing infrastructure and > putting gpg or a BSD-licensed clone into base. Perhaps using SSL to sign > packages and having a baked-in key would work as well. Considering its a solved problem (mostly!) in other distributions, and their updates are very cachable, why not do this? Adrian -- Adrian Chadd - [EMAIL PROTECTED] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
