Bernhard Reiter schrieb:
correct. But emerge is only one of (currently) two ways to install packages. For end-users the kdewin-installer should be used. And this installer also needs to know about md5sums.On Friday 18 April 2008 12:04, Christian Ehrlicher wrote:Best would be detached signatures of course (for the one that publishes).It would help if just an md5sum is calculated and put in the emerge/portage when the portage while is adapted. I take it that in most cases there is a specific file referenced so that person updating a portage spec should just insert their own checksum at least.The packager can be modified to create a md5sum for every package (dbus-mingw-1.1.2-1234567.md5sum) or every file. Just don't know if this helps us. Putting something in the emerge tree isn't a good solution as we can't use it for our installer then.Maybe I did not fully grasp it yet.To me emerge looks like having a pool of instruction how to get, build and installer other packages.Those packages can be third party or coming from us.
For both case emerge should have a step called "verification" or "establishing" trust that the aquired package files are the right ones.With packager I meant our kdewin-packager which currently doesn't do much apart from putting all into four .tar.bz2 files (bin, lib, doc, src).This is possible even without help of the packager, just put a checksum in. Of course it would be cool, if the packager would publish checksum and even signatures themselfs.
Christian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Kde-windows mailing list [email protected] https://mail.kde.org/mailman/listinfo/kde-windows
