1 |
On 11/11/18 12:53 PM, Michał Górny wrote: |
2 |
> Hi, |
3 |
> |
4 |
> Ok, here's the second version integrating the feedback received. |
5 |
> The format is much simpler, based on nested tarballs inspired by Debian. |
6 |
> |
7 |
> The outer tarball is uncompressed and uses '.gpkg.tar' suffix. It |
8 |
> contains (preferably in order but PM should also handle packages with |
9 |
> mismatched order): |
10 |
> |
11 |
> 1. Optional (but recommended) "gpkg: ${PF}" package label that can be |
12 |
> used to quickly distinguish Gentoo binpkgs from regular tarballs |
13 |
> (for file(1)). |
14 |
> |
15 |
> 2. "metadata.tar${comp}" tarball containing binary package metadata |
16 |
> as files. |
17 |
> |
18 |
> 3. Optional "metadata.tar${comp}.sig" containing detached signature |
19 |
> for the metadata archive. |
20 |
> |
21 |
> 4. "contents.tar${comp}" tarball containing files to be installed. |
22 |
> |
23 |
> 5. Optional "contents.tar${comp}.sig" containing detached signature for |
24 |
> the contents archive. |
25 |
|
26 |
We need to establish the procedure for signature verification of the |
27 |
files in "contents.tar${comp}" at any point in the future *after* they |
28 |
have been installed. In order to identify corruption of a particular |
29 |
installed file, we'll need separate digests for each of the installed |
30 |
files, and a signature covering the separate digests. |
31 |
-- |
32 |
Thanks, |
33 |
Zac |