On 02/21/12 13:43, Brock Pytlik wrote:
On 02/21/12 13:34, Shawn Walker wrote:
...
Oracle's the one that "published" the package.
So arguably, Oracle.
...
If the attribute here really is Oracle, then I think Tim's right that we
should be using information from the signature chain, provided in a user
readable way. For example, we could extract the name used on the leaf
signing certificate and add that as an attribute to the signature action
(or to the package itself during signing) so that it could be easily
consumed by pkg. That would have the benefit automatically generating
the value as well as having it match the publisher. Which does lead me
to one question though, when would the value of pkg.vendor not match the
publisher name?
I have no desire to involved cryptographic signatures here.
In part because I want this information to be available to unsigned
packages.
As for when would it not match? We already have that situation.
The appcert rules potentially apply to unbundled packages too; not just
'//solaris' packages.
Regardless, as Danek pointed out, this is probably orthogonal to what
I'm trying to accomplish so I'm shelving this particular aspect of the
proposal for now.
-Shawn
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
