From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3F28D138334 for ; Mon, 19 Nov 2018 19:40:47 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7AB93E0931; Mon, 19 Nov 2018 19:40:43 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 086C5E0921 for ; Mon, 19 Nov 2018 19:40:42 +0000 (UTC) Received: from [10.128.13.179] (unknown [100.42.98.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: zmedico) by smtp.gentoo.org (Postfix) with ESMTPSA id 72F92335C63; Mon, 19 Nov 2018 19:40:39 +0000 (UTC) Subject: Re: [gentoo-dev] [pre-GLEP r1] Gentoo binary package container format To: gentoo-dev@lists.gentoo.org, Rich Freeman References: <1542652504.26086.4.camel@gentoo.org> <2oZseLC4rnPfibSkOcVhyV@7goCMnFg7BjVAn3Dwj0Mo> From: Zac Medico Openpgp: preference=signencrypt Autocrypt: addr=zmedico@gentoo.org; prefer-encrypt=mutual; keydata= xsFNBFs7tmwBEADTzG+IcYtRfTfKryU7sUH7LlV1M+TdaCMfIkY4x6RyHXkaaqYuQ+U9HKn0 +m5FcZsZ1Ojik+We3Tz0F6kDbam6EWzBxmsLb/IHeUEsvsuLzuBQjiD9zzqGocZiPWr+uWJs AdbueS72R7FPXJPDUEPrJ9GdhGFyYARveY9cmdisOwcDOiSFfBjk3/89t4gROn4KUhezVuO9 VS14gVSns1561CJjlB47HkSBu4+FuzrfVygg4xitWAH119Ehw0vJcgkTw4Bqhk01Iw9us80m dFyU8JbJ0CVYe30gYKFFbnXoiT6xLLogKOkv0goPFxaXcMwWM9ei3SjAGVqgN6i8VnO7kquV LwkTe6ntEK0iY+l4qTKuyIOQLpCbWNI0eVwlx5b/pY2pt5TEGWAPMCZGjlidMx0aDcVX4oji 2/xegFAcxALrfOX3kj2FZ9kNAqLZu26AfqtslIqlBEAb5sZwPr351msBIdbaWX2UNw21I478 7eQ7UfohwXQHlXdhc/wop3VDkDzLBnvlK4ozSJI/9T5F/+9yEZvc6DKUWdEfD12o2El5hHan gCUQWDBKqZb1wcekK8KY2tmH8BBQi7k52IWYLJYfJdir/XpGm5SsDpf3zvDcIFXqFHAG7w7b fhriM+6oBOeIO9ew1Xj3swbRhDwdzRUhu7Uqayq1vdvKqGkgcQARAQABzSJaYWNoYXJ5IE1l ZGljbyA8em1lZGljb0BnbWFpbC5jb20+wsGUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYDAgEA Ah4BAheAFiEER1is2Nqa/UampgQK1hDPNyHnis0FAltml4cFCQTNZxoACgkQ1hDPNyHnis07 aA//QH4lchXg2Kt5ZbBlF3UGn8l2lXvjZKnHkSoz1WK5lWJynQN+dFV6ve+mqG8wX7SqEb+3 iMVh1YoCNx3WSoIb/74/0X+Xtarz1thja8/qS+GyCF1O42aOXYLTuXTmIowjBVIR8v1cZVdY L1KNpyfcq9UyL/xyLpBAP6eqB2+rNiNQHuO8xXgoQGr5kpz08yyD+gnpsGG7hdMzOi7FA7kk 5JN6rvVKVoKE3VHuECj30u/sd5bixndrGOEr2Ps7b1E9D5h0Ge9HTtAdU/qaUZpAChkRPwGK aNme3UGag9161JKdBsm7e3/a6GTbqvtJYxSK6B7LvI/VOQmFUlhEcFrDVQzJk0l+X5kn3z2u UG80wWTM4p7WCVWiAUPmVGF27ml12J3p8HBXf02VvaNCJtzOCDEbbr+Ynf+JriMUTRy5mzD0 Vfqt4oWqg7I4q6Ds4TqwmEVxBDdONI2AmhQ+BALGzu3aFyu8fyp7J/KWc+UgK/CGvmJUtrGY sUNudPVPDJ33xlxj1Y940OECA+fsBPxS0k18ZoJLivLxwgrS/EkVOcUKNFMezMUHK6WnDlHD 8UrhvmnF5YewMH1EXelNgZvlWF8z8C2fRx8biGLXaaMQEnmGZkQTN8NJdBhZ1cuD0UORF8Bp LKkz1EEWp1Tox4ibn47s6jM4qRb1xTG+c0T4Fl7OwU0EWzu2bAEQAJ9lv8R485soLy25UWUg xBpNHOburlMdvBC9t0p3D/fVx1glplnsEWCdIGrYIFgM/Fyb5PG++OA1NqbyRkZ0SkKbf+8/ Vh0lKiJhuKwm5tXsmIA6gCYa1oM5Vfm2Gm/bwcvXvCorZ3mOCoxMsV5PeHJqujlyMYBCWFM0 7J/BWR0UwUuM6EbOrtqSLhRn2J5L8h52jJm85uV/v13k9XXEjSZ/bDnKgdx9lG/ufAj1czOe qWAL39FA/s75Z8KXamX2DJ3SFze6pRaXSR73Ee9XGUR05Ef9/47N7JtiP2vzQaQLox6qIbyr O5Y7Qhlnka/PCSrQqBEB5+v1n/i+bI6JWEmu+TWAunpUR0Hnh9Q7cwb89ydiJqxEk5TBFBDX 6rbnDmL2ihlGTQtDqg2dZt5WP4/CfSbMvT8aOR0+xhyXHM4tKVEDCSKx6lWXrYvab5fBexmP 0NLe8gcRtt8KYprIG4YJdASkkyYScaoUuc7O/b1w662bcGcZdxYCDlomOJXk8oSav/iD38Qn yWmEac0JFDYO9TM7W2UemZP4m8MHACCjmt+rnCON6JLnvyQCA+iK04HOn/PlgzkVdf6yER2L n+tq0Stv3KxR+vdnjlhXfIzoweAKkSDz7mTp8zp7Li1GfFcBh0nhfNpLIwv1+ycSD1pVoI+J GX5+4tK4XVAl/svDABEBAAHCwXwEGAEIACYCGwwWIQRHWKzY2pr9RqamBArWEM83IeeKzQUC Wzu2twUJAeEzywAKCRDWEM83IeeKzRZ3D/0RFItQdaMZb6hEk8LzRGxJk772Bt2joBPwY/Qv dLUzrR38Lg+n2VPuwa83fVDaHj+LUAbPa+y+MDhFTC5Yj8zYXrrRmapu4sDgFtL+CMD5at9k HxMMSjLuTQg76BrQnoQ2DFI6TTDVlL4thWszyvsLvdlyQBTZqScY4e98h1Ghylvjrj8kD6OQ /wQ1xcDQ1VPXtN7orc7Gk3d8Gwc/vD3NthpXcTHey5eEvHT/7HGMs9N/ChsTLeRO/lCq6ao+ HtOVe9z/0q7gbCAAVSxwsblmGwNQshaxGvS3K6bQhgjeWlCczKRmIMKiKrscRNPAl5k+kmQ+ VVztDLLR6pwrKiKp3+22vm0/BEVaTg5iarNkWJlnqwbtnDrxRcoe6EJXUyBco+pLczxDpX6c Yv5nAsTUaS+rBo+Cfu7Mml874fOhaffLGM2+HmmWxlsz+SoJMzIHIHQtA9l2OQ7fQa9Xp1TB qZuViSnK2lnlyZshEhPOzE+Q65bBeQujPrLrrgl8f9N7fFVDaupmS4MIWvDLmc6qT3bDs5hY arIM5Ivi3IJ1yxdWgXkddwdAtO/lbMJDYwBBRbrN+XKKtjKBN8nd2zmaTn8nnZQoSEgc/Mkd zbpRt++jfxe4TQUmNvvGhnMKhJOkJVnYfR/Zwk4EsRU31udt6U2WanSbqY8Ad8Ot+xVH+w== Message-ID: <76ff3312-94ad-6f28-0b16-e5f9ff1c1348@gentoo.org> Date: Mon, 19 Nov 2018 11:40:37 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="75Idfx7gm5e9435Ky6Q1YJNuJvZleajex" X-Archives-Salt: 0f499fcf-5e4d-4afe-9fa4-618ae83b166d X-Archives-Hash: 6d31af85953c4cbb87c356501a1a0d4a This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --75Idfx7gm5e9435Ky6Q1YJNuJvZleajex Content-Type: multipart/mixed; boundary="8h4e3v0mkIJcBO5xT4ied1P9foge7Jfed"; protected-headers="v1" From: Zac Medico To: gentoo-dev@lists.gentoo.org, Rich Freeman Message-ID: <76ff3312-94ad-6f28-0b16-e5f9ff1c1348@gentoo.org> Subject: Re: [gentoo-dev] [pre-GLEP r1] Gentoo binary package container format References: <1542652504.26086.4.camel@gentoo.org> <2oZseLC4rnPfibSkOcVhyV@7goCMnFg7BjVAn3Dwj0Mo> In-Reply-To: --8h4e3v0mkIJcBO5xT4ied1P9foge7Jfed Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 11/19/18 11:33 AM, Rich Freeman wrote: > On Mon, Nov 19, 2018 at 2:21 PM Roy Bamford w= rote: >> >> "The archive members support optional OpenPGP signatures. >> The implementations must allow the user to specify whether OpenPGP >> signatures are to be expected in remotely fetched packages." >> >> Or can the user specify that only some elements need to be signed? >> >> Is it a problem if not all elements are signed with the same key? >> That could happen if one person makes a binpackage and someone >> else updates the metadata. >> >=20 > IMO this is going a bit into PM details for a GLEP that is about > container formats. >=20 > Presumably any package manager is going to need to figure out what > keys are/aren't valid and allow the user to configure this behavior. > Users who want to go editing package innards will presumably adjust > their package manager settings to accept their modifications, whether > it means accepting their own sigs or disabling them. With the GLEP as it is, the user *must* use a local signing key to sign installed packages during the installation process if they want to be able to verify signatures for installed packages at some point in the future, since the binary package format does not provide a way to use binary package signatures for this purpose. --=20 Thanks, Zac --8h4e3v0mkIJcBO5xT4ied1P9foge7Jfed-- --75Idfx7gm5e9435Ky6Q1YJNuJvZleajex Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQKTBAEBCgB9FiEE8OgXaltWzqgSupCu0HX7jBBKPSAFAlvzEbVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEYw RTgxNzZBNUI1NkNFQTgxMkJBOTBBRUQwNzVGQjhDMTA0QTNEMjAACgkQ0HX7jBBK PSBrNw//QaZ4vQlEzOgFyCwEhU2I3x78tTGSbCBnGc3+ZSwzlRqoFCBI5fkwuVrS GaLaNXPOGIaJVDcW0ofHf0/ubY4n/Gn1QurCc76V/AxY5oHXF2Eq00tMYIPzQ8+x S0n/SyGmEgfL7kml85GRV8qH1XqZD02aMpsafYTXyV8tO/3js33kyDU4dfeWU3nJ MRJyCH208H09JhY5pov5xHYi8+wejYjrb+6LkpvfCoYMwWWAGHp3xGbUQzXccDTb aj28NBTdtdGw397+LwJ0BhGJHuP/ZDCMGa/ThEOcxEOPjoxd3uhoD3SJ8lchngr/ He794KCuyY6tw3sgIK+grkXfYNdXOmCKvLRxCBa3w71fqXlfYThj2yr4a8rQRhNf CS8B61EZiY4wUjzfMMSvZqH5i/UnXIaA+VewGXFe/p+SuaDwi9ewqtn//lnwjIGp Q9IqJl/Ci2HqGMsKTg6NRJXY0s7HaI79JxW1LL99p2JQ1ePxq4rB5Ea9AbefB5Qd gbDTjDi/gm70gzsj8NRArRMFD/84IKWgFhEon38xTuROtH83cz0OnjKyKVr5kr7x pWWVL1IkEdUq8pks+6shabXPtfefCBaPm2oar4uO5ogQFzCQ1eLfZGa0p6xvNmYu XqCKP49HFHk2NcQ0cxKBs3JsYSVcwWDB+dhF+AxDru+S+8zOcKo= =46Ad -----END PGP SIGNATURE----- --75Idfx7gm5e9435Ky6Q1YJNuJvZleajex--