gnu-arch-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] gpg signing & mirror operations

From: Tom Lord
Subject: Re: [Gnu-arch-users] gpg signing & mirror operations
Date: Thu, 4 Mar 2004 07:54:48 -0800 (PST) 
    > From: Robert Collins <address@hidden>

    > To cacherev a revision in an already mirrored revision one has to
    > operate directly on the mirror. The mirror signing scripts though
    > (-MIRROR) are incompatible with this - one cannot copy the signature for
    > a non-existent file.

    > Seems to me the easiest thing to do is when one needs to sign a new file
    > in a mirror, and the signing/archive-registration file contains the name
    > of an archive-registration, is to just follow pointers until we get a
    > non-archive registration value (including the fallback to =default as
    > usual).

    > Thoughts?

It's clearly plausible to follow back "copy from" signing rules until
you find a signing rule.

However, if you don't find a rule, is =default really the right thing?
I'm not so sure.   There is nothing that guarantees that =default
really applies to anything up the chain of archives.   If I don't have
write access to the tail archive in the list, =default is certainly
not the right thing to use.

Less magical, perfectly flexible, but requiring slightly more work
from users would be to add support for $archive.cacherev files in
.arch-params/signing.    Follow the rules:

   when making a cacherev:

   1) if $archive.cacherev exists, use that as the signing rule

   2) otherwise, if $archive exists and contains a signing command
      rather than an archive name, use that

   3) otherwise, if $archive exists, contains a copy-from archive
      name, and that archive has the desired revision already cached,
      copy the cached revision along with the signature.

   4) otherwise, if $archive exists, contains a copy-from archive
      name, and that archive does not have the desired revision
      already cached, recursively apply steps three and four until
      either the cached revision is copied 

   5) otherwise, if $archive exists (and hence contains a copy-from 
      archive) give an error message, otherwise store the cached 
      revision unsigned


I regard steps 3 and 4 as optional and even perhaps undesirable as
default behavior.  In other words, just 1,2,5 is enough functionality
to merge.

-t
reply via email to
[Prev in Thread] Current Thread [Next in Thread]