On Thu, May 29, 2008 at 01:25:53PM -0700, Stephen Hahn wrote:
> However, you can conclude that
>
> pkg://a.org/my-command
>
> and
>
> pkg://b.org/my-command
>
> means that b.org is doing its best to present a set of components that
> could be substituted for a.org's version--which implies same install
> locations, etc.. Whether or not you trust b.org (or a.org) to produce
> such a component is where the need for signed manifests and catalogs
Right. And both pkgs could have different content yet be signed by
different _trusted_ (by the user) entities. Or they could have
different content signed by the same entity (e.g., diff pkg versions).
Or they could even have the same content but signed by different
entities.
There's an expectation of what the pkg name stem says about the content,
but it's not a terribly exact expectation. If you want to be truly
exact about package contents then you'd need a cryptographic hash of the
manifest (ignoring hash collisions), and if you want to be exact to the
point of identifying the entity that made it then you'd need a digital
signature.
> (so that you know b.org is in fact b.org) becomes relevant.
Note that authenticating the repository server != authenticating the
entity that made the package. I mention this only because I think we
should want pkg URNs and URLs, and there's potential for such confusion
in the case of URLs.
The difference is that a pkg URL would include a server name which
should not be confused with the publisher of the package named in the
rest of the pkg URI.
I.e, I'd like something like this:
pkg:///<vendor>/<pkg-name>
to mean "<pkg-name> by <vendor>"
and
pkg://<repository-server>/<vendor>/<pkg-name>
to mean "<pkg-name> by <vendor> in <repository-server>."
But since we may have many protocols for accessing a repository we might
want pkg URLs to support other schemes:
pkg:///<vendor>/<pkg-name> ->
-> "<pkg-name> by <vendor>, as found anywhere, and by
any means"
pkg://<repository-server>/<vendor>/<pkg-name>
-> "<pkg-name> by <vendor> as found in
<repository-server> by any means"
http://<repository-server[:port]>/<stuff>/<vendor>/<pkg-name>
-> "when used as a URL for a package this means
<pkg-name> by <vendor>, as found at
<repository-server[:port]> using IPS over HTTP"
ips://<repository-server[:port]>/<stuff>/<vendor>/<pkg-name>
-> "... using IPS' repository protocol" (if IPS has one)
We might also want to be able to reference/disambiguate packages by
version, hash, ...:
pkg:///<vendor>/<pkg-name>#<version>
pkg:///<vendor>/<pkg-name>#<SHA-512 hash>
...
<anywhere> here means "any locally configured or discoverable
repository."
Nico
--
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
