From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 48393138334 for ; Mon, 19 Nov 2018 19:21:40 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 41D31E0896; Mon, 19 Nov 2018 19:21:35 +0000 (UTC) Received: from smarthost01d.mail.zen.net.uk (smarthost01d.mail.zen.net.uk [212.23.1.7]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D86ACE0878 for ; Mon, 19 Nov 2018 19:21:34 +0000 (UTC) Received: from [62.3.120.142] (helo=NeddySeagoon_Static) by smarthost01d.mail.zen.net.uk with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1gOp6z-0007fJ-09 for gentoo-dev@lists.gentoo.org; Mon, 19 Nov 2018 19:21:33 +0000 Date: Mon, 19 Nov 2018 19:21:06 +0000 From: Roy Bamford Subject: Re: [gentoo-dev] [pre-GLEP r1] Gentoo binary package container format To: gentoo-dev@lists.gentoo.org In-Reply-To: <1542652504.26086.4.camel@gentoo.org> (from mgorny@gentoo.org on Mon Nov 19 18:35:04 2018) X-Mailer: Balsa 2.5.3 Message-Id: <2oZseLC4rnPfibSkOcVhyV@7goCMnFg7BjVAn3Dwj0Mo> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA256; protocol="application/pgp-signature"; boundary="=-F0vhDAImn75/RmkUxdAC" X-Originating-smarthost01d-IP: [62.3.120.142] Feedback-ID: 62.3.120.142 X-Archives-Salt: 536103e6-5632-4cab-ac6e-fed959886539 X-Archives-Hash: 55a770634597739346334f130ca31b9b --=-F0vhDAImn75/RmkUxdAC Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018.11.19 18:35, Micha=C5=82 G=C3=B3rny wrote: > Hi, >=20 > On Sat, 2018-11-17 at 12:21 +0100, Micha=C5=82 G=C3=B3rny wrote: > > Here's a pre-GLEP draft based on the earlier discussion on gentoo- > > portage-dev mailing list. The specification uses GLEP form as it > > provides for cleanly specifying the motivation and rationale. >=20 > Changes in -r1: took into account the feedback and restructured > the motivation into pointing out advantages of the existing format, > and focusing on the two real issues of non-transparency and OpenPGP > implementations deficiencies. Also added a section on why there's no > explicit version number. >=20 > > Also available via HTTPS: > >=20 > > rst: https://dev.gentoo.org/~mgorny/tmp/glep-0078.rst > > html: https://dev.gentoo.org/~mgorny/tmp/glep-0078.html > >=20 >=20 [snip] Team, Looks good to me. I can manually unpick the binpackage with tar. Choose, if I will check the signatures or not, then spray files all over my broken Gentoo with tar in the same way as I do now. =20 Implementation detail question.=20 It appears that all members must be signed, or none of them since =20 "The archive members support optional OpenPGP signatures.=20 The implementations must allow the user to specify whether OpenPGP=20 signatures are to be expected in remotely fetched packages." Or can the user specify that only some elements need to be signed? Is it a problem if not all elements are signed with the same key? That could happen if one person makes a binpackage and someone else updates the metadata. > --=20 > Best regards, > Micha=C5=82 G=C3=B3rny >=20 --=20 Regards, Roy Bamford (Neddyseagoon) a member of elections gentoo-ops forum-mods = --=-F0vhDAImn75/RmkUxdAC Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEsOrcx0gZrrCMwJzo/xJODTqpeT4FAlvzDSMACgkQ/xJODTqp eT4SHgf/ZiE514AdTk8RRvg7zkspVHWlDhqAHMIjZDfTiOGIqJpii3/i2OHLJfxl lSC5cb1UhgSoElNHkhxpV5jRw1+EbMiDHi8Qbbc7m/KsOgDz2wnUX7ADfqkh0WCQ ssRllYfzWibhma3GkdosNgeWVq/BM4/ulvRRE1FS1JIIPu2sq4lkA+UP+0gNIc+m WdUA3tfHqFy3PDbzi3fn2t4MKnhjt14+RFblUDiNzJ9ZqzaK57kIxYTerLvNRHHa C/E49AcNET5tcCWMGET4bRALz0p/zev0DnnoMiXXl/cEn+MraEIx1g/asnK1r6wb kQdNm/WiaKkS6+w2gggLaxs3JW6vHw== =vi2T -----END PGP SIGNATURE----- --=-F0vhDAImn75/RmkUxdAC--