On Fri, 2017-03-17 at 09:21 -0400, Colin Walters wrote:
On Wed, Mar 15, 2017, at 12:55 PM, Philip Withnall wrote:The format would need to scale to multiple repositories (for example, if a machine used OSTree for the OS, and flatpak for apps). Any machines on the local network which advertise repositories matching the local repository’s canonical remote URI,Maybe instead we should have a UUID field in repositories in the repo/config? We could easily change `ostree init` to generate one. (Although it'd be prone to being copied if people used `rsync`)
Talking to Alex today, this is something which could potentially cause problems with flatpak, even if we found some way of determining equivalence classes between remotes: flatpak only allows app updates from the same named remote (not even a differently named remote with the same URI). I assume this could be changed in flatpak, but it’s something we should think about first. Again, it comes down to the question of how we determine whether two remotes should be considered equivalent, such that pulling from either one of them to a local repository would be acceptable. We could do it on the basis of GPG keys, given that each organisation should have a different GPG key. But then we’d want to use another property as well, because one organisation might have multiple classes of repository. For example, Endless might sign both its flatpak and OS repositories with the same GPG key — but we wouldn’t want to try and pull from the OS repository on a network peer into our local flatpak repository. Philip
Attachment:
signature.asc
Description: This is a digitally signed message part