On Thu, Jul 08, 2010 at 02:40:00PM -0700, Brock Pytlik wrote: > On 07/ 8/10 02:12 AM, Darren J Moffat wrote: > >On 07/07/2010 23:43, Brock Pytlik wrote: > > >[snip] > >If the intent is that the signature section only exists in signed > >packages you just need pkg.sigalg=rsa-sha256, you don't need a > >pkg.hashalg as well. > > > >However if the intent is to have pkg.hashalg be used for non > >signed packages then having both pkg.hashalg and pkg.sigalg > >present when they are signed is fine too. > > > I feel like we're talking past each other here, so I'm going to try > and rephrase the question I have. > > You keep saying that pkg.sigalg should be something like > "rsa-sha256." I'm asking why it's not possible to construct that > value from two pieces, pkg.hashalg, which has values like "sha256", > "sha512", and pkg.foo (for now let's just call it pkg.foo), which > has values like "rsa", "dsa", "ecdsa", etc... > > I haven't seen any reason yet why that's not a rational thing to do. > If it is a rational thing to do, then I'm suggesting that pkg.foo > actually be called pkg.sigalg. Having these two pieces which, to me > at least, seem orthogonal, stored in separate places and then > combined makes more sense to me than storing x^2 long strings.
Not to confuse the matter further, but I thought that we already had a longstanding proposal for how to encode the hashing algorithms used to identify package content. https://defect.opensolaris.org/bz/show_bug.cgi?id=8 -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
