Re: Reasons for having SHA512?

[Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost>]

On 06.09.2011 10:25, Aleksey Cheusov wrote:
> On Tue, Jun 14, 2011 at 12:16 AM, Jean-Yves Migeon
> <jeanyves.migeon%free.fr@localhost> wrote:
>> On 12.06.2011 22:16, Aleksey Cheusov wrote:
>>> While cksums from SHA512 is definitely useful I'm thinking about is
>>> SHA512.gz file itself is really necessary. We can store cksums inside
>>> pkg_summary(5), for example, like the following.
>>>
>>>    PKGNAME=abcde-2.3.99.7
>>>    COMMENT=Command-line utility to rip and encode an audio CD
>>>    SIZE_PKG=175220
>>>    CKSUM=<cksum_type> <cksum>
>>>    ...
>>>
>>> where <cksum_type> is sha512, rmd160, md5 or anything else supported by 
>>> digest(1).
>>>
>>> My idea is to provide _single_ file (signed!) containing everything
>>> needed for package management.
>>>
>>> Ideas?
>>
>> Seems like a good idea to me;
> 
> I'd like to commit the ttached patch. Objections?

One question: will it support multivalue, like:

CKSUM=SHA1 2d7bb5572221afa7d7fb30c8d19d3f693bfeee14
CKSUM=MD5 d9f7497c382d9ee2709f9d1b560aecaf
...

I don't object this, but keep in mind that my reasoning still applies:
signing only one file for package management does not make it easy when
you move .tar.gz packages around.

You end up having all the info inside a separate pkg_summary file, and
you can't just "build package" => "sign it" => "install it elsewhere" as
easily: you also have to regenerate the sig for the pkg_summary,
provided you have one, and have it readily accessible when you pkg_add.

-- 
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost