tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Reasons for having SHA512?

 >> While cksums from SHA512 is definitely useful I'm thinking about is
 >> SHA512.gz file itself is really necessary. We can store cksums inside
 >> pkg_summary(5), for example, like the following.
 >>    PKGNAME=abcde-
 >>    COMMENT=Command-line utility to rip and encode an audio CD
 >>    SIZE_PKG=175220
 >>    CKSUM=<cksum_type> <cksum>
 >>    ...
 >> where <cksum_type> is sha512, rmd160, md5 or anything else supported by 
 >> digest(1).
 >> My idea is to provide _single_ file (signed!) containing everything
 >> needed for package management.
 >> Ideas?

> Seems like a good idea to me; however, from a package management
> perspective, I believe that single signed pkg_summary file (the one you
> propose, with a list of cksums) AND per-package signature should be both
> possible.

If we sign pkg_summary(5) containing sha512 and rmd160 cksums (just like
we do for distfiles) for all packages, is it really necessary to sign
every package individually?  I think no. It seems to me that we can just
remove some unnecessary code from pkg_admin(8) and keep pkg_summary(5)
and binary packages on ftp:// always in sync.

Best regards, Aleksey Cheusov.

Home | Main Index | Thread Index | Old Index