On 28 Aug, 2016, at 13:16EDT, Rainer Müller <rai...@macports.org> wrote: > No, verification of PGP signatures is not provided by base. gpg is not > available on an standard OS X install. Adding that as a requirement just > to verify the distfile would be quite heavy.
Oh, absolutely! I wasn’t suggesting making it a requirement, that’s why I wrote: > On 2016-08-28 18:46, Gabriel Rosenkoetter wrote: >> >> (... but if there’s some standardized “make sure some sort of PGP exists >> locally and just warn, rather than fail, if it doesn't” code, ... I’m pretty certain I’ve seen exactly this “Hey, I can’t check this signature because you don’t have a PGP; you might want that, but I’m going ahead anyway” message in several tools similar to MacPorts before… CPAN, maybe? I think it was also part of pkgrsrc back when I was using NetBSD regularly. But I guess what you’re saying is, “no, there isn’t a standard way to do this”. > I would recommend maintainers to verify the signature locally and then > generate checksums for inclusion in the Portfile. Huh. I see how that works, but as a user, I guess I’d prefer to do my own signature verification at build time, otherwise I’m only trusting the port maintainer. Thinking about this more, though, unless one forces the retrieval of the signature to come from the original distribution site, that’s still true, so doing this Right is certainly complicated. If there’s really no appetite for this, no big deal, I was just asking. :^> -- Gabriel Rosenkoetter g...@eclipsed.net
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
