[ECFT] pkgng 0.1-alpha1: a replacement for pkg_install
Julien Laffaye
jlaffaye at freebsd.org
Tue Mar 29 12:11:39 UTC 2011
On Tue, Mar 29, 2011 at 5:15 AM, Tim Kientzle <kientzle at freebsd.org> wrote:
>>>>> II. Package signing.
>>>>
>>>> That would be really nice.
>>>
>>> Right know we only planned to sign the repo database, so we can trust
>>> the sah256 of the packages stored in the database. Then if the package
>>> has the same sha256 as the one in the repo database it is considered
>>> trusted.
>>> If we want a per-package signing, we would have a tarball in a tarball.
>>
>> I really expected this to have been mentioned already, but this approach (tarball in a tarball) is taken by Debian packages, and I don't remember hearing of any issues related to it. I don't think it's worth discounting from the start without giving some considerationg, but I will defer to the people actually doing the work.
>
> If you use libarchive-style streaming, it's even
> pretty straightforward to read and extract such
> things without having to create a bunch of
> temporary files.
>
> You just need to be careful about compression.
Agreed, if we dont want to verify the signature, we can extract the
tarball in the tarball efficiently.
But to verify the signature, we have to read the tarball in the
tarball twice: the first time to compute the digest and verify the
signature, the second time to do the real extraction.
So I guess that the tarball containing the real package archive and
the signature should be uncompressed. The real package archive would
be compressed, though.
More information about the freebsd-hackers
mailing list