Re: Reasons for having SHA512?

To: tech-pkg%NetBSD.org@localhost
Subject: Re: Reasons for having SHA512?
From: Aleksey Cheusov <cheusov%tut.by@localhost>
Date: Tue, 14 Jun 2011 00:35:33 +0300

 >> While cksums from SHA512 is definitely useful I'm thinking about is
 >> SHA512.gz file itself is really necessary. We can store cksums inside
 >> pkg_summary(5), for example, like the following.
 >> 
 >>    PKGNAME=abcde-2.3.99.7
 >>    COMMENT=Command-line utility to rip and encode an audio CD
 >>    SIZE_PKG=175220
 >>    CKSUM=<cksum_type> <cksum>
 >>    ...
 >> 
 >> where <cksum_type> is sha512, rmd160, md5 or anything else supported by 
 >> digest(1).
 >> 
 >> My idea is to provide _single_ file (signed!) containing everything
 >> needed for package management.
 >> 
 >> Ideas?

> Seems like a good idea to me; however, from a package management
> perspective, I believe that single signed pkg_summary file (the one you
> propose, with a list of cksums) AND per-package signature should be both
> possible.

If we sign pkg_summary(5) containing sha512 and rmd160 cksums (just like
we do for distfiles) for all packages, is it really necessary to sign
every package individually?  I think no. It seems to me that we can just
remove some unnecessary code from pkg_admin(8) and keep pkg_summary(5)
and binary packages on ftp:// always in sync.

-- 
Best regards, Aleksey Cheusov.

Follow-Ups:
- Re: Reasons for having SHA512?
  - From: Jean-Yves Migeon

References:
- Reasons for having SHA512?
  - From: Aleksey Cheusov
- Re: Reasons for having SHA512?
  - From: Jean-Yves Migeon

Prev by Date: Re: Reasons for having SHA512?
Next by Date: lablgtk
Previous by Thread: Re: Reasons for having SHA512?
Next by Thread: Re: Reasons for having SHA512?
Indexes:

Home | Main Index | Thread Index | Old Index