[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Alex Elsayed eternaleye+usenet at gmail.com
Mon Sep 10 18:49:00 UTC 2012

Bernd Steinhauser wrote:

> On 10/05/12 03:08, Jason A. Donenfeld wrote:
>> Hi All,
>> Exherbo is such a delightfully clean distro, I love having it on my
>> server, because I can see how all the moving parts work. It's nearly
>> everything I've always wanted fixed from Gentoo. One thing, however,
>> that I really do miss from Gentoo is the security provided by package
>> signing.
> So I'm not really an expert, when it comes to these things, but maybe
> something like this could be a desirable alternative?
> http://git-annex.branchable.com/
> https://github.com/schacon/git-media#readme
> http://caca.zoy.org/wiki/git-bigfiles
> http://code.google.com/p/boar/
> There seem to be quite a few attempts to use git as a storage management
> tool for file archives. The advantage is that you can use git's
> checksumming functionality and the archive information can be easily
> cloned. I remember, that Ciaran had some ideas of using git for this as
> well, but in contrast to those, git's advantages in transfering files
> (delta's...) is not used, afaik. That might make some stuff easier.
> I think it might be worth looking at these (and other) implementations, if
> they are suitable to our purpose, and even if we don't end up using one of
> them, this might be the direction to go.
> It might also allow us to add even more storage types (maybe something
> like a cloud storage?). Also, I kind of like how in this case the local
> storage (your local distfiles) might be integrated as a normal storage in
> git-annex (or whatever we might use) as well.
> I would appreciate if you would look at the links above (I linked boar as
> well, although it does not use git, but has similar goals. There might
> even be more alternatives.) and value their suitability.
> Of course the approach Ciaran lined out several years ago might be even
> more desirable, but it also has a bit of an academic touch, while this
> actually might be something achievable.

Hmm. If not for the Haskell dep (which complicates putting it in system), 
git-annex might be a really good option if we use a deeper integration. 
Since git-annex and vanilla git can coexist in the same repo, it might be an 
option for handling distfiles in a much more general fashion directly within 
the repo. Mirrors could be handled trivially as remotes, files would be 
checksummed, and so on.

It might even be possible to do away with DOWNLOADS and track such things 
entirely with git-annex on a cat/pkg-ver basis, although that might be 
pushing it too far.

More information about the Exherbo-dev mailing list