tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Reasons for having SHA512?

On 06.09.2011 10:25, Aleksey Cheusov wrote:
> On Tue, Jun 14, 2011 at 12:16 AM, Jean-Yves Migeon
> <> wrote:
>> On 12.06.2011 22:16, Aleksey Cheusov wrote:
>>> While cksums from SHA512 is definitely useful I'm thinking about is
>>> SHA512.gz file itself is really necessary. We can store cksums inside
>>> pkg_summary(5), for example, like the following.
>>>    PKGNAME=abcde-
>>>    COMMENT=Command-line utility to rip and encode an audio CD
>>>    SIZE_PKG=175220
>>>    CKSUM=<cksum_type> <cksum>
>>>    ...
>>> where <cksum_type> is sha512, rmd160, md5 or anything else supported by 
>>> digest(1).
>>> My idea is to provide _single_ file (signed!) containing everything
>>> needed for package management.
>>> Ideas?
>> Seems like a good idea to me;
> I'd like to commit the ttached patch. Objections?

One question: will it support multivalue, like:

CKSUM=SHA1 2d7bb5572221afa7d7fb30c8d19d3f693bfeee14
CKSUM=MD5 d9f7497c382d9ee2709f9d1b560aecaf

I don't object this, but keep in mind that my reasoning still applies:
signing only one file for package management does not make it easy when
you move .tar.gz packages around.

You end up having all the info inside a separate pkg_summary file, and
you can't just "build package" => "sign it" => "install it elsewhere" as
easily: you also have to regenerate the sig for the pkg_summary,
provided you have one, and have it readily accessible when you pkg_add.

Jean-Yves Migeon

Home | Main Index | Thread Index | Old Index