Re: [equinox-dev] Best way to contribute values (eg PGP keys) with OSGi?

2021-12-01 Thread Mark Hoffmann 
Hello,as far as I know P2 supports OSGi Capabilities and Requirements that Tom 
mentioned.Mark Hoffmann M.A. Dipl.-Betriebswirt (FH) CEO/CTO Phone:   +49 3641 
384 910 0 Mobile:  +49 175 701 2201 E-Mail: m.hoffm...@data-in-motion.biz Web: 
www.datainmotion.de Data In Motion Consulting GmbH Kahlaische Strasse 4 07745 
Jena Germany Geschäftsführer/CEO Mark Hoffmann Jürgen Albert Jena HRB 513025 
Steuernummer 162/107/05779 USt-Id DE310002614
 Ursprüngliche Nachricht Von: Mickael Istria 
 Datum: 01.12.21  16:43  (GMT+01:00) An: Equinox 
development mailing list , P2 developer discussions 
 Betreff: [equinox-dev] Best way to contribute values (eg 
PGP keys) with OSGi? Hi all,In the context of 
https://bugs.eclipse.org/bugs/show_bug.cgi?id=577248 , we need a way for 
bundles (that were preliminary approved by user) to be capable of contributing 
some PGP public keys as being "trusted by default". I'm wondering what would be 
the best way to contribute such extensibility in p2. p2 doesn't define 
extension points, but uses OSGi Services; but here we only want to contribute a 
value (that could be the armoured keys, or a path to a resource in the bundle 
containing such keys...). As far as I am aware -ie not much-, I see 3 possible 
approaches:1. Define a service interface and let bundles contribute extensions 
to this interface, eg via OSGI-INF/component.xml  * Requires to create 1 
service/API interace  * Would consuming the service from a bundle automatically 
trigger bundle activation? That would be undesired.2. Add support for a custom 
MANIFEST header, something like `Eclipse-P2-PGP-TrustedKey`.  * Seems a bit 
alien, would require some support in toolsAre there other solutions you think 
could fit? What should be preferred?Thanks in advance-- Mickael IstriaEclipse 
IDE developer, for Red Hat Developers
___
equinox-dev mailing list
equinox-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/equinox-dev

Re: [equinox-dev] Best way to contribute values (eg PGP keys) with OSGi?

2021-12-01 Thread Christoph Läubrich 

>  p2 doesn't define extension points, but uses OSGi Services;

by the way: Technically P2 does not uses OSGi directly but 
IProvisioningAgent that supplies services that could be acquired through 
IProvisioningAgentProvider service.


So maybe it would be good to first define the PGPService or something to 
make more clear what is required/desired here, e.g. do we need to take 
minimum mean shortest distance (MSD) into account and such.


Am 01.12.21 um 16:42 schrieb Mickael Istria:

Hi all,

In the context of https://bugs.eclipse.org/bugs/show_bug.cgi?id=577248 
 , we need a way 
for bundles (that were preliminary approved by user) to be capable of 
contributing some PGP public keys as being "trusted by default". I'm 
wondering what would be the best way to contribute such extensibility in 
p2. p2 doesn't define extension points, but uses OSGi Services; but here 
we only want to contribute a value (that could be the armoured keys, or 
a path to a resource in the bundle containing such keys...). As far as I 
am aware -ie not much-, I see 3 possible approaches:


1. Define a service interface and let bundles contribute extensions to 
this interface, eg via OSGI-INF/component.xml

   * Requires to create 1 service/API interace
   * Would consuming the service from a bundle automatically trigger 
bundle activation? That would be undesired.


2. Add support for a custom MANIFEST header, something like 
`Eclipse-P2-PGP-TrustedKey`.

   * Seems a bit alien, would require some support in tools

Are there other solutions you think could fit? What should be preferred?

Thanks in advance
--
Mickael Istria
Eclipse IDE  developer, for Red Hat 
Developers 


___
equinox-dev mailing list
equinox-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/equinox-dev


___
equinox-dev mailing list
equinox-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/equinox-dev

Re: [equinox-dev] Best way to contribute values (eg PGP keys) with OSGi?

2021-12-01 Thread Christoph Läubrich 

I don't get exactly how this is supposed to work.

If I trust a bundle it should automatically lead to trusting others as 
well? Shouldn't this work through a key that contains trust info for 
other keys like described here: [1]


I think this all is already covered by the concept of key-servers so why 
don't we leverage these?


Anyways if we just want to reinvent the wheel once again, a service 
won't suffice I think as it requires a bundle to be in STARTING/STARTED 
state and seems a way to oversized here.


If we just want a bundle to carry a public PGP key (with possible signed 
content by others) I would simply use convention over configuration and 
place a public.pgp in the root of the bundle as such bundle entries 
could be accessed even in installed state.


[1] https://en.wikipedia.org/wiki/Web_of_trust

Am 01.12.21 um 16:42 schrieb Mickael Istria:

Hi all,

In the context of https://bugs.eclipse.org/bugs/show_bug.cgi?id=577248 
 , we need a way 
for bundles (that were preliminary approved by user) to be capable of 
contributing some PGP public keys as being "trusted by default". I'm 
wondering what would be the best way to contribute such extensibility in 
p2. p2 doesn't define extension points, but uses OSGi Services; but here 
we only want to contribute a value (that could be the armoured keys, or 
a path to a resource in the bundle containing such keys...). As far as I 
am aware -ie not much-, I see 3 possible approaches:


1. Define a service interface and let bundles contribute extensions to 
this interface, eg via OSGI-INF/component.xml

   * Requires to create 1 service/API interace
   * Would consuming the service from a bundle automatically trigger 
bundle activation? That would be undesired.


2. Add support for a custom MANIFEST header, something like 
`Eclipse-P2-PGP-TrustedKey`.

   * Seems a bit alien, would require some support in tools

Are there other solutions you think could fit? What should be preferred?

Thanks in advance
--
Mickael Istria
Eclipse IDE  developer, for Red Hat 
Developers 


___
equinox-dev mailing list
equinox-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/equinox-dev


___
equinox-dev mailing list
equinox-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/equinox-dev

[equinox-dev] Best way to contribute values (eg PGP keys) with OSGi?

2021-12-01 Thread Mickael Istria 
Hi all,

In the context of https://bugs.eclipse.org/bugs/show_bug.cgi?id=577248 , we
need a way for bundles (that were preliminary approved by user) to be
capable of contributing some PGP public keys as being "trusted by default".
I'm wondering what would be the best way to contribute such extensibility
in p2. p2 doesn't define extension points, but uses OSGi Services; but here
we only want to contribute a value (that could be the armoured keys, or a
path to a resource in the bundle containing such keys...). As far as I am
aware -ie not much-, I see 3 possible approaches:

1. Define a service interface and let bundles contribute extensions to this
interface, eg via OSGI-INF/component.xml
  * Requires to create 1 service/API interace
  * Would consuming the service from a bundle automatically trigger bundle
activation? That would be undesired.

2. Add support for a custom MANIFEST header, something like
`Eclipse-P2-PGP-TrustedKey`.
  * Seems a bit alien, would require some support in tools

Are there other solutions you think could fit? What should be preferred?

Thanks in advance
-- 
Mickael Istria
Eclipse IDE  developer, for Red Hat
Developers 
___
equinox-dev mailing list
equinox-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/equinox-dev