From owner-freebsd-ports@FreeBSD.ORG  Tue Mar 29 04:42:15 2011
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 13A30106564A;
	Tue, 29 Mar 2011 04:42:15 +0000 (UTC)
	(envelope-from tim@kientzle.com)
Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com
	[209.85.213.182])
	by mx1.freebsd.org (Postfix) with ESMTP id B161A8FC0A;
	Tue, 29 Mar 2011 04:42:14 +0000 (UTC)
Received: by yxl31 with SMTP id 31so1683442yxl.13
	for <multiple recipients>; Mon, 28 Mar 2011 21:42:14 -0700 (PDT)
Received: by 10.236.183.229 with SMTP id q65mr2552687yhm.122.1301372149662;
	Mon, 28 Mar 2011 21:15:49 -0700 (PDT)
Received: from [192.168.2.119] (99-74-169-43.lightspeed.sntcca.sbcglobal.net
	[99.74.169.43])
	by mx.google.com with ESMTPS id u79sm2318775yhn.5.2011.03.28.21.15.44
	(version=TLSv1/SSLv3 cipher=OTHER);
	Mon, 28 Mar 2011 21:15:48 -0700 (PDT)
Sender: Tim Kientzle <tim@kientzle.com>
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: Tim Kientzle <kientzle@freebsd.org>
In-Reply-To: <alpine.GSO.1.10.1103282328340.19944@multics.mit.edu>
Date: Mon, 28 Mar 2011 21:15:41 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <DF9D9589-56C3-40DF-992F-9F62A2FC1173@freebsd.org>
References: <20110325101111.GA36840__48943.3474642739$1301049771$gmane$org@azathoth.lan>
	<4D90C8EA.2000901@freebsd.org>
	<AANLkTinaz9Y6kgjQvdS1Pu+kay50DUs6FubcbCxcc3W2@mail.gmail.com>
	<AANLkTi=uPaaxUVUDL3CPWByOeOZ2TjziUbrY7pJLQyAa@mail.gmail.com>
	<alpine.GSO.1.10.1103282328340.19944@multics.mit.edu>
To: Benjamin Kaduk <kaduk@MIT.EDU>
X-Mailer: Apple Mail (2.1082)
Cc: ports@freebsd.org, Baptiste Daroussin <bapt@freebsd.org>,
	hackers@freebsd.org, Julien Laffaye <jlaffaye@freebsd.org>
Subject: Re: [ECFT] pkgng 0.1-alpha1: a replacement for pkg_install
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 04:42:15 -0000

>>>> II. Package signing.
>>>=20
>>> That would be really nice.
>>=20
>> Right know we only planned to sign the repo database, so we can trust
>> the sah256 of the packages stored in the database. Then if the =
package
>> has the same sha256 as the one in the repo database it is considered
>> trusted.
>> If we want a per-package signing, we would have a tarball in a =
tarball.
>=20
> I really expected this to have been mentioned already, but this =
approach (tarball in a tarball) is taken by Debian packages, and I don't =
remember hearing of any issues related to it.  I don't think it's worth =
discounting from the start without giving some considerationg, but I =
will defer to the people actually doing the work.

If you use libarchive-style streaming, it's even
pretty straightforward to read and extract such
things without having to create a bunch of
temporary files.

You just need to be careful about compression.

Tim