On 02/21/12 12:56, Tim Foster wrote:
On 02/21/12 04:39 PM, Shawn Walker wrote:
On 02/20/12 15:09, Danek Duvall wrote:
Shawn Walker wrote:
I'd also like to suggest we have pkg.vendor to easily identify the
company that produced the package easily (e.g. set name=pkg.vendor
value=Oracle).
Alternative suggestions welcomed. Liane thought I should add this or an
equivalent as part of this proposal.
It came up recently with appcert(1) where it would have been nice to be
able to reliably identify Oracle-provided packages based on metadata.
That'd be checking the signature of a package, and ensuring it was one
that Oracle had actually published, as opposed to checking the value of
an attribute though, right?
No.
Because I think the information needs to be visible in a human-readable
form.
All a user has to do is republish a package locally, perhaps to add
additional files, and the "pkg.vendor" attribute becomes meaningless (or
at least a bit hazy, because who knows what an end-user has actually
done to the package?)
I can't guard against that; this isn't about cryptographic-security.
This is about general identity.
-Shawn
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
