Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Malcolm Herbert <mjch@mjch.net>
From: Alistair Crooks <agc@pkgsrc.org>
List: tech-pkg
Date: 07/28/2005 18:43:13
On Tue, Jul 26, 2005 at 02:46:56PM +1000, Malcolm Herbert wrote:
> On Mon, Jul 25, 2005 at 09:20:28PM -0700, Jason Thorpe wrote:
> |On Jul 25, 2005, at 5:20 PM, John Kohl wrote:
> |>separate mounted file system). If we're talking about serious
> |>rework of
> |>packaging for signing, how about switching to a zip or similar archive
> |>format with random access to members?
> |
> |I would certainly not object to such a change.
>
> I seem to recall that the GNU tar group were looking to do gzip
> compression of individual files before being placed in an archive stream
> rather than after it as this would have provided better support for
> things like backups via rsync, but I don't know how much progress they
> made in this area ...
>
> it doesn't get you random access though, I grant you ... :)
Just to blow my own trumpet, take a look at pkgsrc/archivers/archangel.
Taken from its description:
Archangel is an archiver for 2005 and beyond. Some features are:
+ cross-platform
+ individually {compressed,bzip2ed,gzipped} entries
+ individually {signed,encrypted,signed+encrypted} entries
+ entries can be padded to arbitrary lengths
All in all, a combination of zip, tar, and gpg on steroids
You can now backup files, and not be worried about people reading them,
either in transit or at their destination.
Entries have a maximum size of 1 MB (by default) internally, so that
media problems mean that you can recover the parts that aren't affected.
Just to elaborate on the last sentence - large files are broken into
chunks, the default size of which is 1 MB. This is to reduce the
impact of a medium error, or similar - the lost data is reduced to 1
MB. Other sizes can be chosen as desired and needed.
When I get some time, I will add an option to sign and/or encrypt
the entry's metadata, in addition to the entry itself.
Right now, archangel uses a callout to gpg. This will be changed to
use bpg when it becomes available.
Regards,
Alistair