On Wed, Jul 05 2023, Alexander Bluhm <alexander.bl...@gmx.net> wrote: > On Wed, Jul 05, 2023 at 05:35:01PM +0200, Jeremie Courreges-Anglas wrote: >> On Tue, Jul 04 2023, Alexander Bluhm <alexander.bl...@gmx.net> wrote: >> > Hi, >> > >> > ok to import splicebench-1.02 ? >> >> At first I got puzzled by SUPDISTFILES but gofor it if you find it useful. > > If upstream provides a gpg signature, I download it and check it. > Although it is not perfect to prevent backdoors, I would feel very > bad, if I would commit a tampered port that could be detected by a > signature. > > Downloading the detached signature as SUPDISTFILES makes it easy > to verify manually. > > Any better idea to prevent supply chain attacks?
I'm not objecting to the rationale, I also check signatures whenever I can. This reminds me of a proposal from Stuart which I liked a lot but I haven't pushed for... until now: https://marc.info/?l=openbsd-ports&m=157687699320320&w=2 -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
