tech-pkg: Re: CVS commit: src/distrib/sets

Subject: Re: CVS commit: src/distrib/sets
To: Jason Thorpe <thorpej@shagadelic.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-pkg
Date: 11/11/2004 12:29:44
On Thu, Nov 11, 2004 at 09:20:26AM -0800, Jason Thorpe wrote:
> 
> On Nov 11, 2004, at 9:07 AM, Thor Lancelot Simon wrote:
> 
> >Perhaps we need the concept of a package "source" or "publishing 
> >entity";
> >so one could ask the package tools to list out only packages published
> >by "NetBSD-pkgsrc", for instance, instead of by "NetBSD-src"; so the
> >default pkg_info invocation could skip packages published by 
> >"NetBSD-src",
> >in other words "skip system packages" but one could easily tell it not
> >to.
> 
> I think this is a marvelous idea, and by using certificates to identify 
> the publisher, you could leverage it to sign the individual packages, 
> as well.

To extend the printed-book metaphor a bit further: you might need more
than one signature, e.g. the "publisher" and the "printer" -- the actual
builder of the package.  For system packages, or packages actually
compiled -- "printed" -- under the aegis of the publishing entity, it
seems reasonable that these signatures would be the same.  But it is
easy to think of cases in which they would not be. (e.g. packages
"published" by pkgsrc but built by a 3rd party).

On the other hand, this maps reasonably nicely to the X.509 trust
model: a "publisher" is a certificate authority, and a "printer"
is a party authorized by that CA to represent his binary packages
as "published" by the "publisher".

Does this all make sense?  The binary package would have to bear the
publisher name -- probably as an X.500 long name with a "common name"
of something like "pkgsrc@netbsd.org" or "netbsd-pkgsrc" or "netbsd-src"
and the signature could either be by a certificate signed by the authority
with CN pkgsrc@netbsd.org, or some other party; which leaves it up to the
user to decide whether he wants to install such a package or not, while
still letting the package tools simply look at the CN field in the
package (*not the signature*) when deciding what to do when displaying
information,e tc.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud