On 10/6/07, Peter Tribble <peter.tribble at gmail.com> wrote: > On 10/3/07, Stephen Hahn <sch at sun.com> wrote: > > * Stephen Hahn <sch at sun.com> [2007-10-02 22:03]: > > PKG-4: An existing network repository can be easily mirrored, and > > users can appropriately configure their system to install > > packages from there instead. > > I would take this a little further; mirroring should not require > special software > or anything beyond putting files within a known structure on a network > accessible server. It shouldn't be necessary to use or configure any > special software in order to create a repository.
And that such mirrors work using widely available and widely proxied protocols. HTTP and HTTPS are OK. SSH proxied over HTTP is not. (Hint: http://hg.opensolaris.org/ should exist - that's offtopic here but used as a real life example of something that is broken.) Also - Packages should be able to be cryptographically signed to ensure integrity of the packages. I prefer the PGP "web of trust" method over the hierarchical methods involving certificate authorities. The preference for PGP is especially relevant for open source and not nearly as important when dealing only with commercial distribution (fewer & better funded -> less certificate management). -- Mike Gerdts http://mgerdts.blogspot.com/
