[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Jason A. Donenfeld Jason at zx2c4.com
Thu May 10 14:42:50 UTC 2012


On Thu, May 10, 2012 at 3:12 PM, Wouter van Kesteren
<woutershep at gmail.com> wrote:
> We have bash: http://git.exherbo.org/arbor.git/tree/packages/app-shells/bash/bash.exlib#n29
> And vim: http://git.exherbo.org/arbor.git/tree/packages/app-editors/exlibs/vim.exlib#n100

That patch situation looks terrible; sorry anyone has to deal with
that ever. In any case, I see two solutions for this:

1) Directory based checksums, as I recommended above. If all the files
are downloaded into a directory, the contents of that directory are
concatenated and then hashed. That way it could be computed in an easy
one liner by the developer.

2) Regex based checksums: perhaps not as simple, but you could define
a certain filename regex, and files matching that get concatenated and
hashed. This isn't as nice as (1) but it avoids the need to create
distfile directories, if that's a motivation.



More information about the Exherbo-dev mailing list