On 4 February 2014 11:25, Marc Espie <[email protected]> wrote: > 2014-02-04 Kim Twain <[email protected]>: >> Does pkg_add automatically check these signatures, or, as of now, I'd need >> to manually download the packages, verify them with signify and then install >> them locally with pkg_add? > > In -current, if you don't use any flags to pkg_add, and you don't see any > message at the end, the packages were signed and verified. > > (and by default, post 5.5, pkg_add will probably error out if the packages > are not signed if you don't use -Dunsigned !) > > Maybe you're already using signed packages and haven't noticed. > (there were two or hiccups in some snapshots, but apart from that, things > have been working great). > > > Getting a streamlined process WAS the difficult part in getting signed > packages out, NOT the technical feat of having signed packages... > > After all, pkg_create/pkg_add has known how to sign stuff for 3 years by now. > > signify(1) makes things more transparent: no chain of trust, pure keys. > > One cool thing is that the signatures are small enough that they can be > embedded directly in the package (which already has sha256 for everything). > > This has the advantage of decentralization: package snapshots can be partially > synchronized, and still each package carries its own signature. Less margin > for strange errors -> stuff that works most of the time -> more trustworthy. > > Remember that message about ssh keys that changed that you used to get when > admins weren't savvy about getting keys around, or all those self-signed > https certificates you've been trained to ignore ? signatures are the same. > if they're not 100% present by default, people will be trained to ignore them. > > > If you think security is a technicality, you only have 1/3rd of the > story. Getting the process right and making sure the users don't do > anything stupid is the right part. >
Maybe even the hard part. <insert sisyphus reference of choice here> .... Ken
