Shawn Walker wrote:
Bart Smaalders wrote:
Another interesting question is one of certificate revocation; I'm
inclined to have repositories provide such lists and have those
downloaded as part of catalog updates... we can also arrange for
refreshing of manifests, etc, upon discovery of installed packages
signed w/ revoked certs if needed.
One issue that will arise is how to discern which repository is
authoritative for certificates given mirrors, etc.
Also, when an on-disk format is designed, will signing have to be
specially accounted for?
It should work just the same - ie the same signatures and same keys and
the same trust anchors.
--
Darren J Moffat
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
