| 1 |
On Tue, 2018-11-13 at 09:49 -0800, Zac Medico wrote: |
| 2 |
> On 11/11/18 12:53 PM, Michał Górny wrote: |
| 3 |
> > Hi, |
| 4 |
> > |
| 5 |
> > Ok, here's the second version integrating the feedback received. |
| 6 |
> > The format is much simpler, based on nested tarballs inspired by Debian. |
| 7 |
> > |
| 8 |
> > The outer tarball is uncompressed and uses '.gpkg.tar' suffix. It |
| 9 |
> > contains (preferably in order but PM should also handle packages with |
| 10 |
> > mismatched order): |
| 11 |
> > |
| 12 |
> > 1. Optional (but recommended) "gpkg: ${PF}" package label that can be |
| 13 |
> > used to quickly distinguish Gentoo binpkgs from regular tarballs |
| 14 |
> > (for file(1)). |
| 15 |
> > |
| 16 |
> > 2. "metadata.tar${comp}" tarball containing binary package metadata |
| 17 |
> > as files. |
| 18 |
> > |
| 19 |
> > 3. Optional "metadata.tar${comp}.sig" containing detached signature |
| 20 |
> > for the metadata archive. |
| 21 |
> > |
| 22 |
> > 4. "contents.tar${comp}" tarball containing files to be installed. |
| 23 |
> > |
| 24 |
> > 5. Optional "contents.tar${comp}.sig" containing detached signature for |
| 25 |
> > the contents archive. |
| 26 |
> |
| 27 |
> We'll want to access "contents.tar${comp}.sig" very early, but in the |
| 28 |
> absence of an index containing offsets, normally we'd have to read all |
| 29 |
> of "contents.tar${comp}" first. However, I suppose we could search |
| 30 |
> backwards for the "contents.tar${comp}.sig" entry. |
| 31 |
|
| 32 |
Hmm, I guess in order to verify the file without actually having to |
| 33 |
unpack it first? Yes, I suppose packing signatures before actual files |
| 34 |
may make sense, and that we should able to verify-then-unpack those data |
| 35 |
files without actually extracting them from the archive. |
| 36 |
|
| 37 |
-- |
| 38 |
Best regards, |
| 39 |
Michał Górny |
Archives