Gentoo Archives: gentoo-portage-dev

From: Zac Medico <zmedico@g.o>
To: gentoo-portage-dev@l.g.o, "Michał Górny" <mgorny@g.o>
Subject: Re: [RFC] gpkg format proposal v2 (was: Re: [gentoo-portage-dev] [RFC] Improving Gentoo package format)
Date: Tue, 13 Nov 2018 18:51:00
Message-Id: be6c646c-d737-ddb2-0026-d8ae785c01b3@gentoo.org
In Reply to: [RFC] gpkg format proposal v2 (was: Re: [gentoo-portage-dev] [RFC] Improving Gentoo package format) by "Michał Górny"
1 On 11/11/18 12:53 PM, Michał Górny wrote:
2 > Hi,
3 >
4 > Ok, here's the second version integrating the feedback received.
5 > The format is much simpler, based on nested tarballs inspired by Debian.
6 >
7 > The outer tarball is uncompressed and uses '.gpkg.tar' suffix. It
8 > contains (preferably in order but PM should also handle packages with
9 > mismatched order):
10 >
11 > 1. Optional (but recommended) "gpkg: ${PF}" package label that can be
12 > used to quickly distinguish Gentoo binpkgs from regular tarballs
13 > (for file(1)).
14 >
15 > 2. "metadata.tar${comp}" tarball containing binary package metadata
16 > as files.
17 >
18 > 3. Optional "metadata.tar${comp}.sig" containing detached signature
19 > for the metadata archive.
20 >
21 > 4. "contents.tar${comp}" tarball containing files to be installed.
22 >
23 > 5. Optional "contents.tar${comp}.sig" containing detached signature for
24 > the contents archive.
25
26 We need to establish the procedure for signature verification of the
27 files in "contents.tar${comp}" at any point in the future *after* they
28 have been installed. In order to identify corruption of a particular
29 installed file, we'll need separate digests for each of the installed
30 files, and a signature covering the separate digests.
31 --
32 Thanks,
33 Zac

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies