tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Reasons for having SHA512?
On 06.09.2011 10:25, Aleksey Cheusov wrote:
> On Tue, Jun 14, 2011 at 12:16 AM, Jean-Yves Migeon
> <jeanyves.migeon%free.fr@localhost> wrote:
>> On 12.06.2011 22:16, Aleksey Cheusov wrote:
>>> While cksums from SHA512 is definitely useful I'm thinking about is
>>> SHA512.gz file itself is really necessary. We can store cksums inside
>>> pkg_summary(5), for example, like the following.
>>>
>>> PKGNAME=abcde-2.3.99.7
>>> COMMENT=Command-line utility to rip and encode an audio CD
>>> SIZE_PKG=175220
>>> CKSUM=<cksum_type> <cksum>
>>> ...
>>>
>>> where <cksum_type> is sha512, rmd160, md5 or anything else supported by
>>> digest(1).
>>>
>>> My idea is to provide _single_ file (signed!) containing everything
>>> needed for package management.
>>>
>>> Ideas?
>>
>> Seems like a good idea to me;
>
> I'd like to commit the ttached patch. Objections?
One question: will it support multivalue, like:
CKSUM=SHA1 2d7bb5572221afa7d7fb30c8d19d3f693bfeee14
CKSUM=MD5 d9f7497c382d9ee2709f9d1b560aecaf
...
I don't object this, but keep in mind that my reasoning still applies:
signing only one file for package management does not make it easy when
you move .tar.gz packages around.
You end up having all the info inside a separate pkg_summary file, and
you can't just "build package" => "sign it" => "install it elsewhere" as
easily: you also have to regenerate the sig for the pkg_summary,
provided you have one, and have it readily accessible when you pkg_add.
--
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost
Home |
Main Index |
Thread Index |
Old Index