Hi Shawn,
I discussed with Tom Mueller regarding SHA and URL ,
see inline for the conclusions.
Shawn Walker wrote:
rajkumar wrote:
Shawn Walker wrote:
* If the icon is supposed to be a file in the package, it makes more
sense to reference it by it's SHA1-name (e.g.
8f7c66678a6d903f93b00778deaa028e1ef4e79a) instead of by path.
Any comment on this?
It may not make more sense to reference the file by it's SHA1 name. It
may be appropriate to reject this comment. The manifest can be used to
translate from a filename to the SHA1 name if the goal is to retrieve
the file using a /file/0 operation (for the case where the package
hasn't been installed yet). For the case where the package is installed,
the desire would be to use the icon from the local path, so you need the
path value in that case. It would be very inconvenient to have to
calculate the SHA1 value when constructing the manifest; this would make
publishing too difficult.
* I don't believe it prudent to support a URL here given the
security implications of supporting a URL for the icon.
Any comment on this?
There are multiple concerns here with dynamically retrieving an image
from a web resource:
* violation of privacy as retrieving client can be tracked when
retrieval of resource is performed
* no guarantee that resource will remain available (what will you do
when the icon cannot be retrieved)
* If you support remote retrieval, will you also support redirects,
etc. in case the resource has moved?
* What sort of schemes will be supported for retrieval of this
resource? (ftp://host/icon.png, https://host/icon.png, etc.)
I agree that we shouldn't allow a URL. It just adds extra complexity
that we don't need.
Cheers,
regards,
Rajkumar
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
