1 |
On Tue, 2018-11-13 at 10:50 -0800, Zac Medico wrote: |
2 |
> On 11/11/18 12:53 PM, Michał Górny wrote: |
3 |
> > Hi, |
4 |
> > |
5 |
> > Ok, here's the second version integrating the feedback received. |
6 |
> > The format is much simpler, based on nested tarballs inspired by Debian. |
7 |
> > |
8 |
> > The outer tarball is uncompressed and uses '.gpkg.tar' suffix. It |
9 |
> > contains (preferably in order but PM should also handle packages with |
10 |
> > mismatched order): |
11 |
> > |
12 |
> > 1. Optional (but recommended) "gpkg: ${PF}" package label that can be |
13 |
> > used to quickly distinguish Gentoo binpkgs from regular tarballs |
14 |
> > (for file(1)). |
15 |
> > |
16 |
> > 2. "metadata.tar${comp}" tarball containing binary package metadata |
17 |
> > as files. |
18 |
> > |
19 |
> > 3. Optional "metadata.tar${comp}.sig" containing detached signature |
20 |
> > for the metadata archive. |
21 |
> > |
22 |
> > 4. "contents.tar${comp}" tarball containing files to be installed. |
23 |
> > |
24 |
> > 5. Optional "contents.tar${comp}.sig" containing detached signature for |
25 |
> > the contents archive. |
26 |
> |
27 |
> We need to establish the procedure for signature verification of the |
28 |
> files in "contents.tar${comp}" at any point in the future *after* they |
29 |
> have been installed. In order to identify corruption of a particular |
30 |
> installed file, we'll need separate digests for each of the installed |
31 |
> files, and a signature covering the separate digests. |
32 |
|
33 |
I should note that package contents are strongly mutable in Gentoo -- |
34 |
preinst/postinst, instprep, custom hooks... |
35 |
|
36 |
-- |
37 |
Best regards, |
38 |
Michał Górny |