Please remove MacGPG from due to serious security concerns

Doug Barton dougb at
Wed Feb 18 17:46:23 CET 2015

On 2/18/15 2:52 AM, Jonathan Schleifer wrote:
> Well, I guess you have to take into account that a lot of downloads are from packaging software like pkgsrc, FreeBSD ports, Gentoo portage, ArchLinux's makepkg, etc. Usually, these do download the signature and tarball once, verify it and then write a checksum to the Makefile / PKGBUILD / however it is called that is then verified. So I guess you can't easily map that to "Only x% of users check the downloaded tarball". I guess it's a lot more, it's just not all check it using the .sig.

Back when I was involved with the FreeBSD project I included code in the 
Makefile to verify the PGP signature for all of my ports that had one, 
as did a few other maintainers. However there was not only not a 
consensus to do this more generally, there was active opposition to 
doing it at all.

If you are a FreeBSD user and believe that this would be something 
beneficial to the ports system, please send them e-mail at 
freebsd-ports at and let them know. :)


More information about the Gnupg-users mailing list