On Tue, Jun 24, 2008 at 01:36:19PM -0700, Joe Di Pol wrote: >> You could do that, but that potentially would require a second lookup in >> order to retrieve the file. Assume that in the future you'd be able to >> get back the "my.changelist" set action of a package (or multiple >> packages) without having to get the entire manifest, so then you'd have >> to do a search to find out the hash, and then you could retrieve the >> file. > > Gotcha. Any idea how far in the future this would be?
No. It depends a bit on how important a feature it turns out to be (compared to all the other important features and bugfixes). > But is the hashing algorithm a stable interface? If I'm some random > package maintainer, can I always depend on using the SHA-1 hash? I think you should be able to. Some concerns have been raised about the security of SHA-1, so we'll probably be moving to SHA-256 (see bug 8) at some point, but the server code should probably keep understanding SHA-1 hashes for quite some time. Clients can eventually become smarter, and once we stop seeing SHA-1 requests, we can drop support for them. But I expect that'll be quite some time. > The first approach seems more robust and friendly for a package maintainer > (albeit a bit more complicated and costly for the client). Yup, there's a tradeoff there. Danek _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
