[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] gpg signing & mirror operations
From: |
Tom Lord |
Subject: |
Re: [Gnu-arch-users] gpg signing & mirror operations |
Date: |
Thu, 4 Mar 2004 07:54:48 -0800 (PST) |
> From: Robert Collins <address@hidden>
> To cacherev a revision in an already mirrored revision one has to
> operate directly on the mirror. The mirror signing scripts though
> (-MIRROR) are incompatible with this - one cannot copy the signature for
> a non-existent file.
> Seems to me the easiest thing to do is when one needs to sign a new file
> in a mirror, and the signing/archive-registration file contains the name
> of an archive-registration, is to just follow pointers until we get a
> non-archive registration value (including the fallback to =default as
> usual).
> Thoughts?
It's clearly plausible to follow back "copy from" signing rules until
you find a signing rule.
However, if you don't find a rule, is =default really the right thing?
I'm not so sure. There is nothing that guarantees that =default
really applies to anything up the chain of archives. If I don't have
write access to the tail archive in the list, =default is certainly
not the right thing to use.
Less magical, perfectly flexible, but requiring slightly more work
from users would be to add support for $archive.cacherev files in
.arch-params/signing. Follow the rules:
when making a cacherev:
1) if $archive.cacherev exists, use that as the signing rule
2) otherwise, if $archive exists and contains a signing command
rather than an archive name, use that
3) otherwise, if $archive exists, contains a copy-from archive
name, and that archive has the desired revision already cached,
copy the cached revision along with the signature.
4) otherwise, if $archive exists, contains a copy-from archive
name, and that archive does not have the desired revision
already cached, recursively apply steps three and four until
either the cached revision is copied
5) otherwise, if $archive exists (and hence contains a copy-from
archive) give an error message, otherwise store the cached
revision unsigned
I regard steps 3 and 4 as optional and even perhaps undesirable as
default behavior. In other words, just 1,2,5 is enough functionality
to merge.
-t