On Mon, Feb 11, 2013 at 09:33:01AM +0100, Christian Kellermann wrote: > Henrietta cache does check each source specified in the egg-locations > file every hour for new releases, then downloads the source tarballs > for these and chicken-install will rely on these stored tarballs.
This is not accurate. Henrietta downloads the source, which can be aggregated and compressed in various ways (bz2, zip, targz, plain files) so they are currently all normalized and stored in uncompressed, unaggregated form (as plain files in a directory). This is because (see below). > These are not created on the fly, so what you are suggesting could > be done this way. Or am I missing something? The files are individually sent because not changing chicken-install was one of the goals of THE SYSTEM, and the old Henrietta plucked the individual files straight from svn (or a local checkout, I forget). Of course this protocol is easier to maintain by storing the files separately instead of in an archive. This could be changed, but it would break compatibility with every installation of Chicken that exists. If we were to do this we'd have to take care to somehow keep the old system available. Perhaps a new flag to henrietta to send a tarball? But that would be on-the-fly, which we don't want. In any case, henrietta's cache is designed to be just that, a cache. This means that any file can be deleted at any time and it will be re-fetched. That would mean a recreation of a tarball. And when you want to support signing in the first place, that's a problem that lies with the author (or packager). Doing it automatically offers almost no advantage, as a compromised server will happily keep applying automated signatures. Doing this is a huge burden on the community which we currently cannot support. Cheers, Peter -- http://sjamaan.ath.cx _______________________________________________ Chicken-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/chicken-users
