Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 6DACD782C36
	for <~alpine/devel@lists.alpinelinux.org>; Fri, 17 Jan 2020 22:19:37 +0000 (UTC)
Received: by mail-pj1-f48.google.com with SMTP id d5so3740205pjz.5
        for <~alpine/devel@lists.alpinelinux.org>; Fri, 17 Jan 2020 14:19:37 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=ZD4EKzKU4R32VcUgvgNPUt17TEUHWIxZHTgZI8V7Z60=;
        b=tQviu9MafFpzQQMJEAN0kVw6DSt1pD78FwIK9SNsJSo2SY3+eyneGDj04o9XXEraxU
         rjGwyhwCBJLsWF5LwH0buMNwK3IDfr5V940nnotpTBxR7HbRm3wgZYzRFjGd84nwRd2k
         9AlVUXgiNnLWufSilddbnAw0LVvBwt7ot4Tyvn+Xvm21sFsYTm+XjoUmD36WtwM3KxvL
         7vV4ajOFj+1SPvms5QAdsDpuwuFwAKvYFJoyrEkGW/a2PbzzCI7jwOQapE4MYq5bqAGx
         +Vy6hjkYl76jqIvCNZL3EdOO9ogYKeb5TJkF6mc2k+oksoM1q0yqH5BhOnZSSRgoM6HL
         SI5A==
X-Gm-Message-State: APjAAAV+7ZYcEkDATWVLQkCbH6IkyJbbfGawZezPQmMUHLAteaHYqoeO
	sagFyvPPQ7sAubASu55nmnY=
X-Google-Smtp-Source: APXvYqw8oygNMH6RXLpNHfYvZ8DpUori5iTPhP+vWeOngeBmYaIxMGN8cxRUHFOj29Nnx0pdQMg89w==
X-Received: by 2002:a17:902:8ec2:: with SMTP id x2mr1574289plo.102.1579299574765;
        Fri, 17 Jan 2020 14:19:34 -0800 (PST)
Received: from vostro.lan (2001-44b8-01b4-a600-3641-5dff-fe8b-7d4c.static.ipv6.internode.on.net. [2001:44b8:1b4:a600:3641:5dff:fe8b:7d4c])
        by smtp.gmail.com with ESMTPSA id e10sm31263829pfj.7.2020.01.17.14.19.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 17 Jan 2020 14:19:34 -0800 (PST)
Date: Sat, 18 Jan 2020 00:19:27 +0200
From: Timo Teras <timo.teras@iki.fi>
To: "Drew DeVault" <sir@cmpwn.com>
Cc: "Natanael Copa" <ncopa@alpinelinux.org>,
 <~alpine/devel@lists.alpinelinux.org>
Subject: Re: repo pinning, whether to include repository name in pkg [was
 Re: new package format and repository layout changes]
Message-ID: <20200118001927.3492f70d@vostro.lan>
In-Reply-To: <BZY4HPQ7P5IO.32ODJBJGIGRTN@homura>
References: <20200117093110.13bfdc9f@vostro.lan>
	<BZY4HPQ7P5IO.32ODJBJGIGRTN@homura>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Fri, 17 Jan 2020 09:06:38 -0500
"Drew DeVault" <sir@cmpwn.com> wrote:

> On Fri Jan 17, 2020 at 9:31 AM, Timo Teras wrote:
> > Having said all this. I am still somewhat concerned and thinking
> > that putting repository name to the package might be useful thing.
> > But perhaps in should be the originally-built-from-repository and
> > not the index name.
> >
> > Does any of you share my concerns that the repo name should be
> > signed?  
> 
> Still NACK on signing the repo name. Signed data should be autonomous
> of its original source, so long as it's signed it doesn't matter how
> it got to you.

Would you be able to give some reasoning, arguments or use-cases why
you think this is the correct approach?

Thanks,
Timo