Re: [gentoo-dev] [pre-GLEP r1] Gentoo binary package container format

[Roy Bamford <neddyseagoon@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 1452 bytes --]

On 2018.11.19 19:33, Rich Freeman wrote:
> On Mon, Nov 19, 2018 at 2:21 PM Roy Bamford <neddyseagoon@gentoo.org>
> wrote:
> >
> > "The archive members support optional OpenPGP signatures.
> > The implementations must allow the user to specify whether OpenPGP
> > signatures are to be expected in remotely fetched packages."
> >
> > Or can the user specify that only some elements need to be signed?
> >
> > Is it a problem if not all elements are signed with the same key?
> > That could happen if one person makes a  binpackage and someone
> > else updates the metadata.
> >
> 
> IMO this is going a bit into PM details for a GLEP that is about
> container formats.
> 

Rich,

Not really. The GLEP needs to be clear about the signing.
Is it every element or none?
The GLEP hints that a mix of is possible with
 
If the implementation needs to manipulate archive members, it must
either create a new signature or discard the existing signature.

An individual binpackage could start life with all elements signed
by the same key.

Some element could be updated and the key for the signature of 
that element changed.

Later still, another element can be changed an have its signature
dropped.   

Should some combinations have no practical value, they should
not be permitted by the GLEP.

> -- 
> Rich
> 
> 
> 

-- 
Regards,

Roy Bamford
(Neddyseagoon) a member of
elections
gentoo-ops
forum-mods

[-- Attachment #2: Type: application/pgp-signature, Size: 488 bytes --]