tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg_add functions and renovation

On Wed, Apr 23, 2008 at 09:14:47AM +0100, Alistair Crooks wrote:
> Oh, and rather than wrapping it in yet another tarball, just append
> the digital sig to the end of an existing tarball - that was mycroft's
> suggestion some time ago, and was the same one I explained to you
> yesterday. tar should treat the sig as noise. There is no need for
> multiple hashes - either a package has been tampered with, or it hasn't,
> and so one signature covering the whole binary package is sufficient.

It makes it impossible to process the package as stream. You have to
either buffer the full stream or write it to disk first. Writing the
signature first makes it possible to stream it.

> But I always come back to the question - we already have something
> that works - why are you reinventing the wheel as multiple square
> objects?

It only works for a single very limited case -- local files. For local
files it has very limited use because you can just do it once in
advance. It does not handle remote packages and that's where missing
trust is a lot more likely.


Home | Main Index | Thread Index | Old Index