From jason@pm1.ric-13.lft.widomaker.com  Sun Feb 29 11:40:02 2004
Return-Path: <jason@pm1.ric-13.lft.widomaker.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 23C9C16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 29 Feb 2004 11:40:02 -0800 (PST)
Received: from pm1.ric-13.lft.widomaker.com (pm1.ric-13.lft.widomaker.com [209.96.189.29])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C464A43D2D
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 29 Feb 2004 11:40:00 -0800 (PST)
	(envelope-from jason@pm1.ric-13.lft.widomaker.com)
Received: (from jason@localhost)
	by pm1.ric-13.lft.widomaker.com (8.12.11/8.12.10) id i1TJdwrf035173;
	Sun, 29 Feb 2004 14:39:59 -0500 (EST)
Message-Id: <200402291939.i1TJdwrf035173@pm1.ric-13.lft.widomaker.com>
Date: Sun, 29 Feb 2004 14:39:59 -0500 (EST)
From: Jason Harris <jharris@widomaker.com>
Reply-To: Jason Harris <jharris@widomaker.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Jason Harris <jharris@widomaker.com>
Subject: ports/security/libprelude - fetch PGP signature
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         63546
>Category:       ports
>Synopsis:       ports/security/libprelude - fetch PGP signature
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 29 11:40:24 PST 2004
>Closed-Date:    Sun Feb 29 12:21:48 PST 2004
>Last-Modified:  Sun Feb 29 22:50:17 PST 2004
>Originator:     Jason Harris
>Release:        FreeBSD 4.3-RELEASE i386
>Organization:
none here
>Environment:
System: FreeBSD 4.3-RELEASE i386

>Description:

	fetch PGP signature to facilitate (manual) verification
>How-To-Repeat:

	apply patch below
>Fix:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

cvs server: Diffing .
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/libprelude/Makefile,v
retrieving revision 1.8
diff -u -r1.8 Makefile
--- Makefile	29 Feb 2004 15:29:53 -0000	1.8
+++ Makefile	29 Feb 2004 19:37:48 -0000
@@ -8,6 +8,8 @@
 PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	http://www.prelude-ids.org/download/releases/
+DISTFILES=	${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.sig
+EXTRACT_ONLY=	${DISTNAME}${EXTRACT_SUFX}
 
 MAINTAINER=	ports@FreeBSD.org
 COMMENT=	Prelude Network Intrusion Detection System librairies
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/security/libprelude/distinfo,v
retrieving revision 1.6
diff -u -r1.6 distinfo
--- distinfo	7 Feb 2004 17:16:18 -0000	1.6
+++ distinfo	29 Feb 2004 19:37:49 -0000
@@ -1,2 +1,3 @@
 MD5 (libprelude-0.8.10.tar.gz) = 68171b170d1f8ad7e38f949391e6b227
 SIZE (libprelude-0.8.10.tar.gz) = 898214
+MD5 (libprelude-0.8.10.tar.gz.sig) = 9d66f7551caaf95555afd8fe1213fcfd
cvs server: Diffing files
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAQj+mSypIl9OdoOMRAnTIAKDKTNidi2wrmZHj4xZVSMS7kL4qsACgiZru
5PKqBL3MnhueltbBxvZscv0=
=EJPp
-----END PGP SIGNATURE-----
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: eik 
State-Changed-When: Sun Feb 29 21:13:54 CET 2004 
State-Changed-Why:  
Thanks for your efforts, I like to see PGP support in the ports tree, but: 

- this is not a matter of a single port 
- some people do not want to fetch distfiles they don't need 
- this should be more semi-automatic, like HAS_PGPSIGNATURE and `make pgpcheck' 
- this interferes with PR 60558, since you can't simply add USE_GPG/PGP to the Makefile, 
you'll have to correct DISTFILES for that. 

IMHO it would be better to come up with a general scheme how PGP signature 
verification of distfiles could work instead of simply fetching them, which 
just wastes space and doesn't increase security. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=63546 

From: tmseck-lists@netcologne.de (Thomas-Martin Seck)
To: bug-followup@freebsd.org
Cc:  
Subject: Re: ports/63546: ports/security/libprelude - fetch PGP signature
Date: 1 Mar 2004 06:49:38 -0000

 * Jason Harris <jharris@widomaker.com> [gmane.os.freebsd.devel.ports.bugs]:
 
 > On Sun, Feb 29, 2004 at 10:23:33PM +0100, Oliver Eikemeier wrote:
 > 
 >> Unfortunate, but I guess we can fix this. I hope I made my point without 
 >> offending you, but blindly downloading and verifying a PGP signature is 
 >> actually *less* secure than the md5 checksum in distinfo, and worse, it
 >> gives a false sense of security.
 
 I agree with you here.
 
 > No offense taken - your presumptions about security plague many.
 
 This has -- IMO -- nothing to do with security. It is already the
 (unwritten) maintainer's duty to verify a signed distfile and it is (or
 really should be) the committer's duty to do the same. The only purpose
 of an automated check on the user's end would just be a check whether a
 maintainer/committer was careless or part of a grand "let's trojan
 FreeBSD" conspiracy.
>Unformatted:
