On 14/01/2010 19:54, [email protected] wrote:
On Thu, Jan 14, 2010 at 11:52:41AM +0000, Chris Gerhard wrote:
My concern as someone who works in support is that this will
generate fire drills and customer calls. The manual for pkg verify
should sing out that it does not do always use the sha1 to do a full
verification.
Sorry, but documenting internal algorithms isn't appropriate. We want
to reserve the right to change our hash algorithms and message digests
without breaking existing software. Pkg verify is what you should use
to verify the integrity of files installed by the packaging system. If
you choose not to use that tool, you're on your own.
And that is the problem. If you use anything else it will lead the user
down to the path of believing there is a problem when there is not one.
That will result in customer dissatisfaction and calls. Unless we
clearly document this behaviour or fix it.
If you're worried about other software, I've already suggested we
discuss a programmatic way for other software to plug into verify using
the pkg API.
I think I prefer the solution of not delivering different files to the
end user but instead dealing with this on the publisher. That will solve
my concerns without having to ship more data or change the documentation.
Chris
--
Sent from my OpenSolaris Laptop
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
