Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id D3954782C92
	for <~alpine/devel@lists.alpinelinux.org>; Fri, 17 Jan 2020 23:13:45 +0000 (UTC)
Received: by mail-pl1-f169.google.com with SMTP id f20so10453612plj.5
        for <~alpine/devel@lists.alpinelinux.org>; Fri, 17 Jan 2020 15:13:45 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=HtnjOXugmugROpwwUY+1myILGxQUH2Gy/Zm+uSYpcTQ=;
        b=CCNSdW06ZRPf91CtO6R37j6riwHVQm5DcDyXyzzQoithXenGk5SCan+zrLGSXyea80
         Z9RFvu4iiSk/KMRwudbFfeCWBMNwxdyjEFD+rZXunX1HKmfktidYbGkaxPHJSowMZOHh
         nTJKAn64lS9UnhhjJ6f9ZHyd++wmFJJOcpoFa/ouIi5rpxFTAcuKdjAd06VJBIKPFm4C
         7GRIfyVp+gNriElGmVyioMQSMm1JTgL0nTE+VhEZZxldwEyhod4Ffjbx4YcoZANMNMiT
         uAvZsdquGLTyWK0ee+xeJrj72a7stc+Y5RpwtDEZFDe33OvJoBYIODXri9fTImwtloL8
         Nr6g==
X-Gm-Message-State: APjAAAVfVd7BRW6uZPMJ6lh0yS+gbMBX3P59Tqk/TdEu4qyuebYtMtlc
	tsSxVjhXpWI/yhBjoNTSfIA=
X-Google-Smtp-Source: APXvYqxzpLGmEdkg7cHCkfneq8kDjyobyOJw1EamMyX3kUb5xjS1+JgCmcPWS7+qL2MaR30ICIJxJA==
X-Received: by 2002:a17:902:8ec6:: with SMTP id x6mr1723703plo.179.1579302824385;
        Fri, 17 Jan 2020 15:13:44 -0800 (PST)
Received: from vostro.lan (2001-44b8-01b4-a600-3641-5dff-fe8b-7d4c.static.ipv6.internode.on.net. [2001:44b8:1b4:a600:3641:5dff:fe8b:7d4c])
        by smtp.gmail.com with ESMTPSA id g19sm30545043pfh.134.2020.01.17.15.13.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 17 Jan 2020 15:13:44 -0800 (PST)
Date: Sat, 18 Jan 2020 01:13:36 +0200
From: Timo Teras <timo.teras@iki.fi>
To: "Drew DeVault" <sir@cmpwn.com>
Cc: "Natanael Copa" <ncopa@alpinelinux.org>,
 <~alpine/devel@lists.alpinelinux.org>
Subject: Re: repo pinning, whether to include repository name in pkg [was
 Re: new package format and repository layout changes]
Message-ID: <20200118011336.1b420be4@vostro.lan>
In-Reply-To: <BZYFLKB40RWB.2OYQP2D818H8G@homura>
References: <20200118001927.3492f70d@vostro.lan>
	<BZYFLKB40RWB.2OYQP2D818H8G@homura>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Fri, 17 Jan 2020 17:48:52 -0500
"Drew DeVault" <sir@cmpwn.com> wrote:

> On Sat Jan 18, 2020 at 12:19 AM, Timo Teras wrote:
> > > Still NACK on signing the repo name. Signed data should be
> > > autonomous of its original source, so long as it's signed it
> > > doesn't matter how it got to you.  
> >
> > Would you be able to give some reasoning, arguments or use-cases why
> > you think this is the correct approach?  
> 
> The whole point of cryptographic signing is to be able to move
> packages over an untrusted medium without ill effect. Should we also
> sign the mirror URL? I don't think so. What if someone wants to stand
> up a new mirror, do they really need us to intervene and agree to set
> up a key for them?
> 
> Consider for example that I run Alpine CI on builds.sr.ht. What if I
> want to cache downloaded packages on the LAN for faster builds by
> adding a "magic" repo?
> 
> These kinds of use-cases ought to be supported. If the package
> contents are signed by a trusted key, it's legit. Doesn't matter
> where it came from.

The above is not restricted in my suggestion. The signature is *not*
over the URL.

What I proposed putting in it, is the distro name and repository
portions only. E.g. the string "alpine/edge/community" or similar.

Doing caches and mirrors would still be supported as expected.

Are there any more detailed requirements you might have?

And do you think it should be possible to clone alpine/edge/community
and rename it to "mynewlinux/x.y-stable/main" without resigning?

Timo