[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Jason A. Donenfeld Jason at zx2c4.com
Thu May 10 16:03:37 UTC 2012


On Thu, May 10, 2012 at 5:56 PM, Ciaran McCreesh
<ciaran.mccreesh at googlemail.com> wrote:
>
> We can't modify exhereses programatically. If it's going to be parsed,
> it has to be in a dedicated file with a well defined format.

Yea... I thought you would say this. The conclusion of that statement
leads to a manifest-like situation, I guess.

But maybe it's not necessary. Sha1s are very unique long weird
strings. A find and replace on this is nearly guaranteed to be okay. I
know, though, that that doesn't sit right and lacks a general feeling
of correctness. But view it this way --

A tool that does these updates does not need to be an officially
supported built-in method of doing things. It could be a very simple
bash script that calls the cave commands to get the current sha1s,
calls the cave commands to do the fetching, and then runs sed.
Something simple, where you wouldn't call it a "official tool for
dealing with exheres", but just a common routine developers tend to
use to update things.

Or we can move the discussion in the manifest direction; I don't know.



More information about the Exherbo-dev mailing list