[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Ciaran McCreesh ciaran.mccreesh at googlemail.com
Thu May 10 15:42:49 UTC 2012


On Thu, 10 May 2012 17:40:54 +0200
"Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
> On Thu, May 10, 2012 at 5:28 PM, Ciaran McCreesh
> <ciaran.mccreesh at googlemail.com> wrote:
> > The issue is that developers would have to make and commit their
> > changes, sync, do the downloading, update the exhereses and then
> > squish the commit. That's an extra two messy steps that we haven't
> > found a way to solve.
> 
> Why? What about bumping their exheres, run "cave download" or whatever
> to do the fetching, update the hash, and then after commit their
> change, push, and sync? There only has to be one commit. Why the need
> for a squish?

a) Developers don't generally know the download URLs themselves.

b) Even when the URLs are known, there are some places that use weird
download methods that don't particularly like the specific ways wget is
used by the PM, and we need to know that.

c) Even when the URLs are known and when we know the mirrors are fine,
some packages have an awful lot of downloads. Developers don't
typically fetch these by hand because it's too much of a pain.

-- 
Ciaran McCreesh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.exherbo.org/pipermail/exherbo-dev/attachments/20120510/1e8e44e8/attachment.asc>


More information about the Exherbo-dev mailing list