Re: signed summary file

From: Colin Walters <walters verbum org>
To: ostree-list gnome org
Subject: Re: signed summary file
Date: Tue, 05 May 2015 11:54:07 -0400

On Mon, May 4, 2015, at 05:13 PM, Matthew Barnes wrote:

I also don't have a strong opinion on the issue, but I'm still learning 
the summary code.  I think my question still stands on whether summary 
extensions (currently unused) should be part of the signed content.


If we want to have static delta checksums covered, then they need to be.

The summary file honestly was a quick hack...in retrospect it should
have probably blocked on more design work.  The original motivation
for attempting to add it quickly was to support MirrorManager/metalinks,
which didn't actually end up being deployed yet =/

So...I think I'm OK with adding a new `summary.sig`.  It has the advantage
of sharing architecture with the commit signatures.  At some point soon
I think I need to take an action item to write up some basic documentation
on the repository layout that we can fill in with things like this.

A minor downside is that it's another HTTP request, although we should
be able to do requests for `repo/summary` and `repo/summary.sig` in parallel.

Follow-Ups:
- Re: signed summary file
  - From: Matthew Barnes

References:
- signed summary file
  - From: Giuseppe Scrivano
- Re: signed summary file
  - From: Matthew Barnes

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]