On 19/05/2010 21:11, Shawn Walker wrote:
If archive integrity verification is needed, (beyond simple accidental
protection), my inclination would be to simply sign the archive using
gpg and provide the resulting '.asc' file alongside the archive. That's
a fairly standard, accepted practice as far as I can tell.

That sounds sufficient to me, please include that in the document as a
suggested method.

After further discussion among the team, it has been agreed that it
wouldn't be appropriate to make the above part of this project at this
time.

It is believed that the manifest signing functionality sufficiently
covers this problem space and that consumers may use their own external
verification methods for now if desired.

Okay, thanks for considering the options.

I have not further comments on the on-disk format for now.

--
Darren J Moffat
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss

Reply via email to