Greetings,
As part of the catalog v1 work I'm doing, I'm also in the process of
changing the server to include package identity information in the
package manifest, such as the FMRI (bug 8217) with the belief that
fully-qualifying the FMRI with the publisher prefix (bug 2762) was
desirable.
However, a recent conversation with Stephen led me to believe that in
light of manifest signing, this may be problematic. In particular, my
understanding was that "Company A" may sign a manifest and be the
initial "publisher" of a package. Later on, they may give that package
to Sun to redistribute, and so "sun.com" would be the publisher and the
last signer of the package instead since they are the "immediate
provider" of the package.
So, I have a few questions:
* Am I right in assuming that we should be storing the fully-qualified
FMRI (that is, an FMRI that includes publisher information) in the Manifest?
* Since Manifests are unsorted, how would we determine who the "last
signer" was?
* To workaround the multiple signers issues, should signature actions
omit the "set pkg.fmri" from their evaluation of the manifest contents?
Cheers,
--
Shawn Walker
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
