On Wed, Jul 05, 2023 at 09:21:35PM +0200, Jeremie Courreges-Anglas wrote: > On Wed, Jul 05 2023, Alexander Bluhm <alexander.bl...@gmx.net> wrote: > > On Wed, Jul 05, 2023 at 05:35:01PM +0200, Jeremie Courreges-Anglas wrote: > >> On Tue, Jul 04 2023, Alexander Bluhm <alexander.bl...@gmx.net> wrote: > >> > Hi, > >> > > >> > ok to import splicebench-1.02 ? > >> > >> At first I got puzzled by SUPDISTFILES but gofor it if you find it useful. > > > > If upstream provides a gpg signature, I download it and check it. > > Although it is not perfect to prevent backdoors, I would feel very > > bad, if I would commit a tampered port that could be detected by a > > signature. > > > > Downloading the detached signature as SUPDISTFILES makes it easy > > to verify manually. > > > > Any better idea to prevent supply chain attacks? > > I'm not objecting to the rationale, I also check signatures whenever > I can. This reminds me of a proposal from Stuart which I liked a lot > but I haven't pushed for... until now: > > https://marc.info/?l=openbsd-ports&m=157687699320320&w=2
I like SIGFILES diff. It automates what I do manually. bluhm
