Re: pkg_add functions and renovation

To: tech-pkg%netbsd.org@localhost
Subject: Re: pkg_add functions and renovation
From: Joerg Sonnenberger <joerg%britannica.bec.de@localhost>
Date: Wed, 23 Apr 2008 13:18:51 +0200

On Wed, Apr 23, 2008 at 09:14:47AM +0100, Alistair Crooks wrote:
> Oh, and rather than wrapping it in yet another tarball, just append
> the digital sig to the end of an existing tarball - that was mycroft's
> suggestion some time ago, and was the same one I explained to you
> yesterday. tar should treat the sig as noise. There is no need for
> multiple hashes - either a package has been tampered with, or it hasn't,
> and so one signature covering the whole binary package is sufficient.

It makes it impossible to process the package as stream. You have to
either buffer the full stream or write it to disk first. Writing the
signature first makes it possible to stream it.

> But I always come back to the question - we already have something
> that works - why are you reinventing the wheel as multiple square
> objects?

It only works for a single very limited case -- local files. For local
files it has very limited use because you can just do it once in
advance. It does not handle remote packages and that's where missing
trust is a lot more likely.

Joerg

References:
- pkg_add functions and renovation
  - From: Joerg Sonnenberger
- Re: pkg_add functions and renovation
  - From: Alistair Crooks

Prev by Date: Re: pkg_add functions and renovation
Next by Date: Re: pkg_add functions and renovation
Previous by Thread: Re: pkg_add functions and renovation
Next by Thread: Re: pkg_add functions and renovation
Indexes:

Home | Main Index | Thread Index | Old Index