On Friday 18 April 2008 12:04, Christian Ehrlicher wrote: > > Best would be detached signatures of course (for the one that publishes). > > > > It would help if just an md5sum is calculated and put in the > > emerge/portage > > when the portage while is adapted. I take it that in most cases there is > > a specific file referenced so that person updating a portage spec > > should just insert their own checksum at least. > > The packager can be modified to create a md5sum for every package > (dbus-mingw-1.1.2-1234567.md5sum) or every file. Just don't know if this > helps us. Putting something in the emerge tree isn't a good solution as we > can't use it for our installer then.
Maybe I did not fully grasp it yet. To me emerge looks like having a pool of instruction how to get, build and installer other packages. Those packages can be third party or coming from us. For both case emerge should have a step called "verification" or "establishing" trust that the aquired package files are the right ones. This is possible even without help of the packager, just put a checksum in. Of course it would be cool, if the packager would publish checksum and even signatures themselfs. Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
pgpv13k1JQx43.pgp
Description: PGP signature
_______________________________________________ Kde-windows mailing list [email protected] https://mail.kde.org/mailman/listinfo/kde-windows
