Subject: Re: CVS commit: src/distrib/sets
To: None <tls@rek.tjls.com>
From: Jason Thorpe <thorpej@shagadelic.org>
List: tech-userlevel
Date: 11/11/2004 11:37:11
--Apple-Mail-4--511936075
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed
On Nov 11, 2004, at 9:29 AM, Thor Lancelot Simon wrote:
> To extend the printed-book metaphor a bit further: you might need more
> than one signature, e.g. the "publisher" and the "printer" -- the
> actual
> builder of the package. For system packages, or packages actually
> compiled -- "printed" -- under the aegis of the publishing entity, it
> seems reasonable that these signatures would be the same. But it is
> easy to think of cases in which they would not be. (e.g. packages
> "published" by pkgsrc but built by a 3rd party).
Yah, I would agree with that. And then designated pkgsrc bulk-builders
for each architecture would get "printing certificates".
> On the other hand, this maps reasonably nicely to the X.509 trust
> model: a "publisher" is a certificate authority, and a "printer"
> is a party authorized by that CA to represent his binary packages
> as "published" by the "publisher".
Exactly. Convenient, eh? :-)
> Does this all make sense? The binary package would have to bear the
> publisher name -- probably as an X.500 long name with a "common name"
> of something like "pkgsrc@netbsd.org" or "netbsd-pkgsrc" or
> "netbsd-src"
> and the signature could either be by a certificate signed by the
> authority
> with CN pkgsrc@netbsd.org, or some other party; which leaves it up to
> the
> user to decide whether he wants to install such a package or not, while
> still letting the package tools simply look at the CN field in the
> package (*not the signature*) when deciding what to do when displaying
> information,e tc.
E-mail style names are good.. possibly tied to the CVS module the code
comes from... src@netbsd.org, xsrc@netbsd.org, pkgsrc@netbsd.org ...
and those would be valid emails that reach a designated "manager" for
that repository module.
And, again, pkg_info would default to listing those packages that are
published by pkgsrc@netbsd.org ... with command line options to list
specific publishers, or all publishers.
-- Jason R. Thorpe <thorpej@shagadelic.org>
--Apple-Mail-4--511936075
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFBk79nOpVKkaBm8XkRAoXlAJsEsschiBs3YuLV+nN5Tr8PBqOD4gCfUsic
Dt7RPXRUrmau37hYS6G/1nM=
=do4X
-----END PGP SIGNATURE-----
--Apple-Mail-4--511936075--