Charles Steinkuehler wrote:
> Most of the feature issues can be cobbled around by adding more
> <package>.whatever files to the package format, but I'd REALLY like to have
> a way of cryptographically signing packages, in preperation for making
> trusted downloading of packages an available feature at runtime. It may
> *just* be possible to do this with a single tar.gz file, but it will be
> tricky at best...somehow, the cryptographic signature needs to be calculated
> on the existing package file (probably the tar file before gzipping), then
> tacked on the end somehow, without changing the existing file contents. It
> may be possible to create a tar file, sign that file, then add the signature
> to the end of the tar file before gzipping.
You could use the two-file format already used for things like the Linux
kernel, or if you really wanted, just wrap both files up like this -
create a standard *.lrp file, then you could wrap it up into a *.srp
file ("Secure LRP") with a digital signature.
Then the unpackers would have to add just a secondary unpack for *.srp
files:
if (file is *.srp) then
verify signature
if (successful signature)
<handle *.LRP>
else
echo "error! invalid signature...skipping..."
fi
fi
> I'm also considering supporting alternate compression schemes, for package
> data (I'm specifically thinking of the UPX algorithms). I like UPX because
> of it's asymetry...it compresses better than gzip -9, but it's much slower
> at compressing than expanding. Just the thing for an older system that's
> typically uncompressing packages much more often than creating them. For
> grins, throw a bootable Oxygen floppy into a 486 system and see how long it
> takes to de-compress all the packages...
Bad example. Oxygen uses a *LOT* more packages than something such as
LRP - I booted LRP 2.9.7 not long ago, and was surprised to see how long
it took :)
Oxygen split up root.lrp to its component parts - things like glibc,
cron, inetd, and more are all now packages. This leads to flexibility
but more load time.
Oxygen supports new package archivers in development already, but it
needs testing. One just specifies the command line to "pack" and to
"test" archives, then it uses those. It predefines "gzip -9" and "gzip
-t" or something like that...
However, upx would not be useful (unless it packs nonexecutables).
Packing executables is all good, but then there is no compression left
to gain when the package is made.
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
