On 01/14/10 05:52 AM, Chris Gerhard wrote:
I understand the trade off. The problem is that this is not documented and not the expected behaviour. If you have 2 systems running the same OS you expect the bits on the disk to be the same.
It is not appropriate to document the *exact* behaviour in the end-user client documentation, which is why what is used for comparison is actually already documented in the developer documentation. See man pkg(5) and look for 'elfhash'.
That won't be true for enterprise customers. They will have local repo with Gigibit bandwidth or we fail.
I've already pointed out in the RFE that was filed that there could be an option for those that prefer to trade reduced upgrade time and bandwidth for bit-for-bit identity.
However, the current behaviour is an appropriate one for the target audience of these releases. Please remember that current OpenSolaris releases are not primarily targeted at enterprise users as has been pointed out multiple times.
My concern as someone who works in support is that this will generate fire drills and customer calls. The manual for pkg verify should sing out that it does not do always use the sha1 to do a full verification.
The package system will not use sha1 forever. We plan on switching to sha256 in the near future. Nevermind cryptographic signing, etc. that will also be used.
Cheers, -- Shawn Walker _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
