Shawn Walker wrote:
Darren J Moffat wrote:
I'm trying to understand what we actually gain by having any more
complexity than just repository as the terminology and I'm not sure I
get it yet.
Because a repository alone isn't sufficient to express the identity of
^^^^^^^^^^^^^^^^^^^^
That is a security model concept hence my desire to include that in the
discussion.
of the packages contained within (e.g. there could be a large difference
between libfoo from abc co. and libfoo from xyz co.), nor is it
sufficient to provide a mechanism whereby a user can easily 'override'
one package provider's packages with their own.
Again an area where manifest signing comes into play - because one of
the goals of manifest signing is allowing "resigning" exactly for
allowing local overrides.
The additional complexity beyond publisher and repository (stream) is
necessary because of the concept of being able to switch between
'development' and 'release' software trains where package versions alone
are not sufficient to express software release types.
The publisher and repository part I'm happy with, I've read the proposal
again since my first post. I'm still unsure if stream needs to be an
exposed concept but I'm leaning in favour of it.
--
Darren J Moffat
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
