From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1557E138334 for ; Tue, 20 Nov 2018 20:35:07 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C27FAE09CF; Tue, 20 Nov 2018 20:35:03 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 74C1FE096E for ; Tue, 20 Nov 2018 20:35:03 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 4D461335C58; Tue, 20 Nov 2018 20:35:01 +0000 (UTC) Message-ID: <1542746097.18030.5.camel@gentoo.org> Subject: Re: [gentoo-dev] [pre-GLEP r1] Gentoo binary package container format From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Date: Tue, 20 Nov 2018 21:34:57 +0100 In-Reply-To: <2oZseLC4rnPfibSkOcVhyV@7goCMnFg7BjVAn3Dwj0Mo> References: <2oZseLC4rnPfibSkOcVhyV@7goCMnFg7BjVAn3Dwj0Mo> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-xgEp9an5EDpvXBvBCkj2" X-Mailer: Evolution 3.26.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Archives-Salt: 387ca648-1fee-4196-96b2-5ac756050437 X-Archives-Hash: 71dc54f8b91836c2f0b36f4c3540dbeb --=-xgEp9an5EDpvXBvBCkj2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2018-11-19 at 19:21 +0000, Roy Bamford wrote: > On 2018.11.19 18:35, Micha=C5=82 G=C3=B3rny wrote: > > Hi, > >=20 > > On Sat, 2018-11-17 at 12:21 +0100, Micha=C5=82 G=C3=B3rny wrote: > > > Here's a pre-GLEP draft based on the earlier discussion on gentoo- > > > portage-dev mailing list. The specification uses GLEP form as it > > > provides for cleanly specifying the motivation and rationale. > >=20 > > Changes in -r1: took into account the feedback and restructured > > the motivation into pointing out advantages of the existing format, > > and focusing on the two real issues of non-transparency and OpenPGP > > implementations deficiencies. Also added a section on why there's no > > explicit version number. > >=20 > > > Also available via HTTPS: > > >=20 > > > rst: https://dev.gentoo.org/~mgorny/tmp/glep-0078.rst > > > html: https://dev.gentoo.org/~mgorny/tmp/glep-0078.html > > >=20 >=20 > [snip] >=20 > Team, >=20 > Looks good to me. I can manually unpick the binpackage with tar. > Choose, if I will check the signatures or not, then spray files all > over my broken Gentoo with tar in the same way as I do now. =20 >=20 > Implementation detail question.=20 > It appears that all members must be signed, or none of them since > =20 > "The archive members support optional OpenPGP signatures.=20 > The implementations must allow the user to specify whether OpenPGP=20 > signatures are to be expected in remotely fetched packages." >=20 > Or can the user specify that only some elements need to be signed? This is really out of scope. The only purpose of this paragraph is to explain that '(optional)' doesn't mean you can safely ignore the lack of this file. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-xgEp9an5EDpvXBvBCkj2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEXr8g+Zb7PCLMb8pAur8dX/jIEQoFAlv0b/FfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVF QkYyMEY5OTZGQjNDMjJDQzZGQ0E0MEJBQkYxRDVGRjhDODExMEEACgkQur8dX/jI EQqXGRAApNB4/T1zJZYvPfetm4emeaTL4pshQ9YzExMN4F2cZCWE09qy1ME2aH0j IYYeX0MP6zWVBf7nt79PntzdwhIr3QMhxYY7T1rabqI4kRsraFkZMI03ZBDcNd2s y2IfP/QBXOJPUydpxRc1nXykSUXNUEy9zZuLCTa7VTQYYQwFU8C1l7HtW5A0re/W EdZh1C+rBHzsPISG5mEXXosqn818usjQqTBpq7ZUEGtEC9G8VLd6+ZW1yPNjQpTV V8UJCM/YctEiLyKEQHx+UVUHghA+WSk9u1BnXGw9RdEST5FIdxNE/12IORq5E08P 1G02e9ekJ+E2FYR/oObKqUDguCmggNuCkaKDmRiGYcMnLaWjBAHcx9JZmndSV1F/ plSkF5kxtTwrtKjthGL04U1976r9WB8fHzzJAq+6UL7wTEqJf8tPHhN0ZsPbihtO 6dCvVa3IUq7OYKbPQI3x5YIi4hOlub5qixQTEMa1yDT0tRtl1cRoFwMYmQ2Ml7SC KrRncG+zKLa1/0G5CrSnyx3wOeDHVgugZ0Sk7rfTqAwM89mgrK4oW+clVLDBg0FN XB6eUCcEa4nwvXlVg2eau8OAW0vhTj+zmM6CwyPgNpgWNQZBdJOFDBbkDEZM0LOR aVusKpaZfzBTe/zJWsSNV/nTnhmmQ8RbEYQdcyivk4QGnUOaye8= =NzT6 -----END PGP SIGNATURE----- --=-xgEp9an5EDpvXBvBCkj2--