Received: from mail.cmpwn.com (mail.cmpwn.com [45.56.77.53]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 94600782BAF for <~alpine/devel@lists.alpinelinux.org>; Fri, 17 Jan 2020 14:11:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=cmpwn.com; s=cmpwn; t=1579270262; bh=UiSn5jHeYvkbvqMc+ez/8/t58btAh3e2H8iLSMLigZQ=; h=In-Reply-To:Date:Cc:Subject:From:To; b=V7WZwbD4xO+L3N9vTv5Ios/HoFQXzrVO7F4SM7DrjZC6ozovKgJ4k3HTqnRw1jjR1 Mz39M2/e0ivUQchdPdH7PHWKM6Ob4LavICO40gFAJAhoYuiyRHNAaJmEwSqvQ2dB3b kyozLMZegps0pM1L5R4eH/sQ3JoGGbBK8YZd3JUA= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 In-Reply-To: <20200117093110.13bfdc9f@vostro.lan> Date: Fri, 17 Jan 2020 09:06:38 -0500 Cc: <~alpine/devel@lists.alpinelinux.org> Subject: Re: repo pinning, whether to include repository name in pkg [was Re: new package format and repository layout changes] From: "Drew DeVault" To: "Timo Teras" , "Natanael Copa" Message-Id: On Fri Jan 17, 2020 at 9:31 AM, Timo Teras wrote: > Having said all this. I am still somewhat concerned and thinking that > putting repository name to the package might be useful thing. But > perhaps in should be the originally-built-from-repository and not the > index name. > > Does any of you share my concerns that the repo name should be signed? Still NACK on signing the repo name. Signed data should be autonomous of its original source, so long as it's signed it doesn't matter how it got to you. The package should be tagged in world, so if that tag is unavailable perhaps we can just print a warning on apk operations listing packages which are tagged for nonexistent repos. I'm also wondering if it would be wise for us to write a solver spec before doing many more changes to it.