Subject: Re: CVS commit: src/distrib/sets
To: None <firstname.lastname@example.org>
From: Jason Thorpe <email@example.com>
Date: 11/11/2004 11:37:11
Content-Type: text/plain; charset=US-ASCII; format=flowed
On Nov 11, 2004, at 9:29 AM, Thor Lancelot Simon wrote:
> To extend the printed-book metaphor a bit further: you might need more
> than one signature, e.g. the "publisher" and the "printer" -- the
> builder of the package. For system packages, or packages actually
> compiled -- "printed" -- under the aegis of the publishing entity, it
> seems reasonable that these signatures would be the same. But it is
> easy to think of cases in which they would not be. (e.g. packages
> "published" by pkgsrc but built by a 3rd party).
Yah, I would agree with that. And then designated pkgsrc bulk-builders
for each architecture would get "printing certificates".
> On the other hand, this maps reasonably nicely to the X.509 trust
> model: a "publisher" is a certificate authority, and a "printer"
> is a party authorized by that CA to represent his binary packages
> as "published" by the "publisher".
Exactly. Convenient, eh? :-)
> Does this all make sense? The binary package would have to bear the
> publisher name -- probably as an X.500 long name with a "common name"
> of something like "firstname.lastname@example.org" or "netbsd-pkgsrc" or
> and the signature could either be by a certificate signed by the
> with CN email@example.com, or some other party; which leaves it up to
> user to decide whether he wants to install such a package or not, while
> still letting the package tools simply look at the CN field in the
> package (*not the signature*) when deciding what to do when displaying
> information,e tc.
E-mail style names are good.. possibly tied to the CVS module the code
comes from... firstname.lastname@example.org, email@example.com, firstname.lastname@example.org ...
and those would be valid emails that reach a designated "manager" for
that repository module.
And, again, pkg_info would default to listing those packages that are
published by email@example.com ... with command line options to list
specific publishers, or all publishers.
-- Jason R. Thorpe <firstname.lastname@example.org>
content-type: application/pgp-signature; x-mac-type=70674453;
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
-----END PGP SIGNATURE-----