On Thu, Jul 30, 2009 at 02:08:57PM -0700, Danek Duvall wrote: > > Please note that the digest and cryptographic information is > > optional since older repositories won't have the information and > > some users of the depot software may choose to not provide it. > > While some users of the depot software may choose not to sign manifests or > catalogs, I think that digests should not be optional, except when there > are signatures. Running without digests seems like pointless no-pants > mode.
Pointless no-pants or not, this isn't going to make a huge difference until we have end-to-end verification for the rest of the metadata. You may be able to detect that the catalog is corrupt, but until the manifests have signatures / digests too, we're just pushing the point of failure further along in the evaluation process. -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
