On Wed, Sep 08, 2010 at 04:59:50PM -0700, Shawn Walker wrote: > Keep in mind there is still some amount of information from the > system itself that has to be used so that you can perform the > verification itself. For example, what packages are seen as being > installed,
Well, there may not be manifests even, in which case for every file you find you'll have to query the repo for what manifest they came from. You'll have to do that for all files not covered by manifests. Many such files will typically be non-packaged editable files. > what publishers are known, In this mode of operation the user will have to tell pkg verify what those are (or, rather, the trusted media should have them pre-configured). > and/or possibly certificates > required to access a remote repository so that data for the > verification can be retrieved. These will have to be provided by the user or on the trusted media (but if you put private keys on media, then you may want to make sure that the keys are on a softtoken on the media). Nico -- _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
