-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Somebody in the thread at some point said: | Pranav Desai wrote: |> On Wed, May 28, 2008 at 5:49 PM, Rod Whitby <[EMAIL PROTECTED] |> <mailto:[EMAIL PROTECTED]>> wrote: |> The usual way is to add the package to OpenEmbedded, and then add |> it's name to the task-openmoko-feed.bb |> <http://task-openmoko-feed.bb> recipe so that it automatically gets |> built, packaged and deployed to the official download site. |> |> But wouldn't that mean writing a recipe for all packages that we want |> to add? | | That is correct. | |> Many third party apps already have a makefile setup, why do you want |> to change that ? | | Writing a recipe does not involve changing the existing Makefile. If the | existing Makefile is written properly, then the recipe should be about 5 | lines long. | | But the major reason to do this is the one I gave below, which you | didn't comment on. Security and trust of third-party apps should be a | very significant consideration for the Openmoko community.
Hey allow me to comment on it. Openmoko doesn't break new ground in having a distro, most of the issues furrowing brows here were solved long ago in "proper distros" (and, if we directly used a proper distro in the future, these issues would just magically work, but that's a flamewar for another time). Looking at Fedora, the solution is not to have a single point of fai- I mean distribution and claim that this is especially "secure", the solution is to crypto-sign the packages and have the public key on the clients. This is a very strong assertion you can trust -- no matter how you came by the package -- that the holder of the private key authorized the package build. And indeed with that, Fedora gets to use a system of mirror repos that are completely out of their control to distribute their packages, but it is perefctly safe due to enforcement of sig checking at the client. Nor does it limit us to only having safe packages from "Mr Openmoko", if we decide we want Pranav's packages we install his public key too and we can safely eat packages from Pranav even if we found them on Usenet or lying around on the street. Anyone faking or meddling with Openmoko or Pranav packages is SOL when we try to install them it is rejected with "package payload differs from signature" or "missing signature", etc. - -Andy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkg/yesACgkQOjLpvpq7dMpbEwCfbQdRVlXz5rvg4ByJx2/lxb3S rKgAn1Vw6kFbEGhdBAqJ4+FlLTlZ2vMA =4RrR -----END PGP SIGNATURE----- _______________________________________________ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community