Re: [pkg-discuss] Catalog Format and Operation Change Proposal [take 4]

Thu, 30 Jul 2009 14:30:17 -0700 

Shawn Walker wrote:

Danek Duvall wrote:

On Thu, Jul 30, 2009 at 03:17:55PM -0500, Shawn Walker wrote:


            "created": "20050614T080000.234231Z",
            "last-modified": "20090508T161025.686485Z",
            "package-count": 40802,
            "parts": [
              "catalog.base.C": {


Given the way you're writing this, "parts" should map to a dict, not a
list. Or you should do name/dict pairs inside of "parts". I'd rather see 
the former.


Sorry, that was an unintentional mistake.  That should be a '{' not a '['.


          "opensolaris.org":{
            "SUNWipkg":[
              {
                "version":"0.5.11,5.11-0.117:20090623T135937Z",
                "_DIGEST": {
                  "sha-1": "596f26c4fc725b486faba089071d2b3b35482114",
                },
              },


I don't think you need the private dictionary keys here, because these
aren't digests you're removing from the catalog before computing the
catalog digest, but the digest of the referenced manifest.  What you had
before in v3 was fine, I think, but if you want a separate dict filled just 
with digests, then you could do that, but call it "digests".
digest-sha-1 as a key/value pair is certainly more efficient than a dict, I was just trying to be consistent. But I'll adjust accordingly. 


    Please note that the digest and cryptographic information is
    optional since older repositories won't have the information and
    some users of the depot software may choose to not provide it.
While some users of the depot software may choose not to sign manifests or 
catalogs, I think that digests should not be optional, except when there
are signatures.  Running without digests seems like pointless no-pants
mode.
Older depots won't provide us with the digests either, that's the other reason they're optional. I could clarify this by stating that repositories that offer version 1 catalogs must provide the digest, but signatures are optional for them. Would that be acceptable? 

Cheers,



It turns out that digests are just a degenerate case of a signature w/o
public keys.... the manifest signing code will support different types
of signatures: identity, which is just the sha* hash of the message
text, and x.509, which is the signed version of the same. Pgp signatures could also be added.... 

- Bart


--
Bart Smaalders                  Solaris Kernel Performance
[email protected]         http://blogs.sun.com/barts
"You will contribute more with mercurial than with thunderbird."
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss

Reply via email to