On 2023/07/05 21:21, Jeremie Courreges-Anglas wrote: > On Wed, Jul 05 2023, Alexander Bluhm <alexander.bl...@gmx.net> wrote: > > On Wed, Jul 05, 2023 at 05:35:01PM +0200, Jeremie Courreges-Anglas wrote: > >> On Tue, Jul 04 2023, Alexander Bluhm <alexander.bl...@gmx.net> wrote: > >> > Hi, > >> > > >> > ok to import splicebench-1.02 ? > >> > >> At first I got puzzled by SUPDISTFILES but gofor it if you find it useful. > > > > If upstream provides a gpg signature, I download it and check it. > > Although it is not perfect to prevent backdoors, I would feel very > > bad, if I would commit a tampered port that could be detected by a > > signature. > > > > Downloading the detached signature as SUPDISTFILES makes it easy > > to verify manually. > > > > Any better idea to prevent supply chain attacks? > > I'm not objecting to the rationale, I also check signatures whenever > I can. This reminds me of a proposal from Stuart which I liked a lot > but I haven't pushed for... until now: > > https://marc.info/?l=openbsd-ports&m=157687699320320&w=2
I lost interest when it turned into a load mkre complication and a new tool to verify pgp signatures that would only run on certain archs and reverted to my previous method, "stick a shell script in the port directory that will download and check the signature when run by hand".
