tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Call for tests: pkg_install-renovation

On Mon, May 26, 2008 at 08:02:26AM +0100, Alistair Crooks wrote:
> nroff-fu is not needed.  Plain text will do.  In my experiences in the
> past with, it is not immediately obvious what needs to be done
> to create a CA, or even what a CA is.

Do you know a *good* tutorial on this topic? I don't think we should
even try to explain the full process as it is too easy to make mistakes
here. It is also outside the scope of a man page. I think the only place
where it would ever make sense is in the pkgsrc guide, but even that
seems far fetched.

> > CERTIFICATE_ANCHOR_PKGS should point to .../newcerts/00.pem.
> > 
> > To sign a package, use
> > pkg_admin sign-package pkg.tgz signed/pkg.tgz \
> >     .../private/cakey.pem .../newcerts/00.pem
> > 
> > The signature check is enabled by setting VERIFIED_INSTALLATION
> > accordingly.
> At the danger of repeating myself, and since this area has changed
> significantly from the previous way of doing things, you need to
> explain (a) what a cakey.pem is, and where to get it. You also need
> to explain what newcerts/00.pem is, and where to get one.

... is the base path of the CA as generated with, so cakey.pem is
the private signing key, 00.pem is the public certificate for that.

> > pkg_add does, yes. It will even more in the short term future when I am
> > adding a second database to speed-up @pkgdep and @pkgcfl handling, but
> > that's in the future. pkg_create doesn't as it would be too late at the
> > time it is running.
> Hmm, interesting. I wasn't aware that you were going to tie us into this
> way of doing things - mainly because I don't think it's a good idea.
> Where was this change discussed?

Multiple times on pkgsrcCon and the mailing lists. Whenever the topic of
overlapping PLISTs comes up, this was asked for. Essentially this makes
the process of conflict handling automatic as it should be.


Home | Main Index | Thread Index | Old Index