1 |
This entire issue changes direction based on how hard and from |
2 |
where the pushes come. There are 3 general directions, as I see |
3 |
it. |
4 |
|
5 |
1. Unify Manifest & digests. |
6 |
2. Create a new digest file. |
7 |
3. Break backwards compatibility. |
8 |
|
9 |
I'd prefer 3. I'm pretty sure it's the first time I've |
10 |
ever suggested that or had it happen since I started |
11 |
maintaining portage. :-/ |
12 |
|
13 |
> SRC_URI portage-2.0.51_rc7.tar.bz2 274572 MD5 1234 SHA1 abcd RMD160 9876 |
14 |
> EBUILD portage-2.0.51_rc7.ebuild 11806 MD5 xyz SHA1 fifteen |
15 |
> |
16 |
> (using fake checksums for readability). |
17 |
|
18 |
My suggestion involves a break in compatibility after a expedited |
19 |
transition period. Kind of a bummer really. |
20 |
|
21 |
A primary issue with unified digest/Manifest is that you force |
22 |
Maintainers to verify tarballs and be liable for them. With the |
23 |
seperated digest/Manifest we can begin signing both the Manifest |
24 |
and the digests allowing the introducer of the package to be |
25 |
liable for the tarballs and leave the Manifest, Ebuilds, and |
26 |
supporting files to be verified by the {arch,package} Maintainer. |
27 |
|
28 |
With signatures moving along slowly, we have the capability |
29 |
to revoke a signature and all potentially infected packages. |
30 |
If Arch maintainers are constantly removing/changing the |
31 |
signatures on a digest, you will have no obvious knowledge |
32 |
of which files they have touched a particular file. |
33 |
|
34 |
> Maybe the system can also be extended to incorporate |
35 |
> GLEP 25 without adding a ton of new files, I'd need some |
36 |
> input from Brian on that issue. |
37 |
|
38 |
I'd rather this be an external sync tool than have portage |
39 |
need to deal with it. Supporting it via an uncompressed MD5 |
40 |
is easily done though. We're breaking compat with my suggestion |
41 |
anyway. |
42 |
|
43 |
> And finally a summarizing list of reasons for the format: |
44 |
> - keep all checksums of a package in one place |
45 |
> - removes one level of indirection for signing |
46 |
|
47 |
These are good and bad depending on how you look at it. |
48 |
|
49 |
> - digest generation currently recreates the Manifest anyway |
50 |
> - removing files from the tree |
51 |
|
52 |
You lose direct info on who originally verified the tarballs. |
53 |
|
54 |
> - allows for easy addition of new digest algorithms |
55 |
> - any syntax modification to the current digest files brings |
56 |
> compability problems with all currently existing portage |
57 |
> versions while Manifest changes do not |
58 |
|
59 |
Sadly, I missed fixing digests when I did the Manifest code. |
60 |
|
61 |
The fix is simply a matter of time. But for all realistic, |
62 |
time-constrained, viewpoints, it is accurate. It's a one-time |
63 |
adjustment of the digest format. |
64 |
|
65 |
SHA1 and many others can be added to the digests after 2.0.51 |
66 |
comes out. It supports digests of varying forms but there |
67 |
should be a reasonable delay before implementation as the |
68 |
impact on the slow-to-update user will be manual. A script |
69 |
could be provided, I imagine. The rescue documentation still |
70 |
applies. |
71 |
|
72 |
> - potential to discover file collisions easier (currently |
73 |
> you can have the same file in two digests with different |
74 |
> checksums, not a real problem yet though) |
75 |
|
76 |
Tools exist for detecting this. md5_check in bin/. |
77 |
They should probably be integrated into repoman. |
78 |
|
79 |
|
80 |
So... |
81 |
The overall scheme: |
82 |
|
83 |
1. Transition quickly into 2.0.51. |
84 |
2. Announce the strong-recommendation/need to update. |
85 |
3. Post new rescue tarballs. |
86 |
4. Wait 2-4 weeks. |
87 |
5. Announce again... ? |
88 |
6. Enable portage's SHA1 creation. |
89 |
7. Break compat in the tree. |
90 |
8. Hopefully never do that again. |
91 |
|
92 |
--NJ |