On 02/21/12 13:34, Shawn Walker wrote:
On 02/21/12 13:15, Alan Coopersmith wrote:
On 02/21/12 01:06 PM, Shawn Walker wrote:
I can't guard against that; this isn't about cryptographic-security.
This is
about general identity.
So should it be a package level attribute or a publisher level one?
Is it sort of a higher level in the hierarchy than publisher? One
entity may have many publishers containing many packages? (It seems
like it's what "publisher" should mean, given more typical English
usage, but I think we've gone too far down the path of publisher having
a more specialized subset meaning for pkg.)
What should the attribute be for pkg://solaris/driver/graphics/nvidia -
Oracle or Nvidia?
Oracle's the one that "published" the package.
So arguably, Oracle.
-Shawn
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
If the attribute here really is Oracle, then I think Tim's right that we
should be using information from the signature chain, provided in a user
readable way. For example, we could extract the name used on the leaf
signing certificate and add that as an attribute to the signature action
(or to the package itself during signing) so that it could be easily
consumed by pkg. That would have the benefit automatically generating
the value as well as having it match the publisher. Which does lead me
to one question though, when would the value of pkg.vendor not match the
publisher name?
Brock
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
