Darren J Moffat wrote:
Shawn Walker wrote:
Darren J Moffat wrote:
I'm trying to understand what we actually gain by having any more
complexity than just repository as the terminology and I'm not sure I
get it yet.
Because a repository alone isn't sufficient to express the identity of
^^^^^^^^^^^^^^^^^^^^
That is a security model concept hence my desire to include that in the
discussion.
A key requirement has been that we do *not* require encryption or
signing so that users that are unable to use encryption or signing (due
to export restrictions, local laws, or other reasons) can still use the
system. This means that we have to be able to express the identity of
packages without relying on signatures, encryption, etc.
of the packages contained within (e.g. there could be a large
difference between libfoo from abc co. and libfoo from xyz co.), nor
is it sufficient to provide a mechanism whereby a user can easily
'override' one package provider's packages with their own.
Again an area where manifest signing comes into play - because one of
the goals of manifest signing is allowing "resigning" exactly for
allowing local overrides.
No. Overriding one provider's packages with another has nothing to do
with signing. It is solely a matter of a user preferring one package's
providers over another.
Cheers,
--
Shawn Walker
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
