Jordan Brown wrote: > Bart Smaalders wrote: >> Of course, we supply the elf hashes of the binaries in signed >> manifests... so that auditing can be performed as desired. > > I think you're missing the point. *Your* tools can audit just fine. The > problem is that all the *other* tools that people use to do audits, and > in particular the tools that they use to compare their systems against > the golden master that they are supposed to be copies of, will be > looking at the file en toto, not pulling it apart. > >> If this is unacceptable, all Java packages must be replaced completely >> if any component inside changes, and there will be far more service >> disruptions during patching operations. > > ... unless you catch the spurious change upstream, so that the file with > the spurious change is never propagated into the repository in the first > place. >
We could change the way publication works, I suppose; we may make that change to make life easier for those folks. I'd leave the logic the same in the client, though. > > Or pressure the people who build jar files to have a mode where they > suppress the date and time stamps, setting them to some artificial > value. (This could be done either by the build that constructs the jar > file, or as part of the jar tool itself.) Let's not go down that path. - Bart -- Bart Smaalders Solaris Kernel Performance [EMAIL PROTECTED] http://blogs.sun.com/barts "You will contribute more with mercurial than with thunderbird." _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
