37 messages in org.freebsd.freebsd-portsRe: [ECFT] pkgng 0.1-alpha1: a replac...| From | Sent On | Attachments |
|---|---|---|
| Baptiste Daroussin | Mar 25, 2011 3:10 am | |
| Alexander Leidinger | Mar 25, 2011 7:06 am | |
| Baptiste Daroussin | Mar 25, 2011 7:14 am | |
| Alexander Leidinger | Mar 25, 2011 7:37 am | |
| Julien Laffaye | Mar 25, 2011 8:02 am | |
| Pietro Cerutti | Mar 25, 2011 8:34 am | |
| Baptiste Daroussin | Mar 25, 2011 8:41 am | |
| Andriy Gapon | Mar 25, 2011 9:35 am | |
| Michel Talon | Mar 25, 2011 9:44 am | |
| Michel Talon | Mar 25, 2011 9:47 am | |
| Eitan Adler | Mar 25, 2011 9:54 am | |
| Thomas Dickey | Mar 25, 2011 12:32 pm | |
| Alexander Leidinger | Mar 25, 2011 1:14 pm | |
| Jos Backus | Mar 25, 2011 1:24 pm | |
| Garrett Cooper | Mar 25, 2011 1:46 pm | |
| Yuri | Mar 25, 2011 2:31 pm | |
| Baptiste Daroussin | Mar 25, 2011 2:37 pm | |
| Alexander Leidinger | Mar 25, 2011 2:52 pm | |
| Marcin Wisnicki | Mar 25, 2011 4:00 pm | |
| Baptiste Daroussin | Mar 26, 2011 3:22 am | |
| Marin Atanasov Nikolov | Mar 26, 2011 5:38 am |  .patch |
| Marcin Wisnicki | Mar 26, 2011 6:18 am | |
| Michel Talon | Mar 26, 2011 6:18 am | |
| Julien Laffaye | Mar 26, 2011 4:01 pm | |
| Andriy Gapon | Mar 28, 2011 10:43 am | |
| Garrett Cooper | Mar 28, 2011 10:58 am | |
| Julien Laffaye | Mar 28, 2011 11:22 am | |
| Benjamin Kaduk | Mar 28, 2011 8:30 pm | |
| Tim Kientzle | Mar 28, 2011 9:15 pm | |
| Baptiste Daroussin | Mar 28, 2011 10:50 pm | |
| Julien Laffaye | Mar 29, 2011 5:11 am | |
| Super Bisquit | Mar 29, 2011 7:50 am | |
| Andriy Gapon | Mar 29, 2011 10:37 am | |
| Baptiste Daroussin | Mar 29, 2011 11:27 am | |
| Baptiste Daroussin | Mar 29, 2011 1:29 pm | |
| Andriy Gapon | Mar 31, 2011 7:54 am | |
| Baptiste Daroussin | Mar 31, 2011 8:01 am |
| Subject: | Re: [ECFT] pkgng 0.1-alpha1: a replacement for pkg_install | |
|---|---|---|
| From: | Tim Kientzle (kien...@freebsd.org) | |
| Date: | Mar 28, 2011 9:15:18 pm | |
| List: | org.freebsd.freebsd-ports | |
II. Package signing.
That would be really nice.
Right know we only planned to sign the repo database, so we can trust the sah256 of the packages stored in the database. Then if the package has the same sha256 as the one in the repo database it is considered trusted. If we want a per-package signing, we would have a tarball in a tarball.
I really expected this to have been mentioned already, but this approach
(tarball in a tarball) is taken by Debian packages, and I don't remember hearing
of any issues related to it. I don't think it's worth discounting from the
start without giving some considerationg, but I will defer to the people
actually doing the work.
If you use libarchive-style streaming, it's even pretty straightforward to read and extract such things without having to create a bunch of temporary files.
You just need to be careful about compression.
Tim
_______________________________________________ free...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "free...@freebsd.org"