Received: from mail.cmpwn.com (mail.cmpwn.com [45.56.77.53]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 27E77782C53 for <~alpine/devel@lists.alpinelinux.org>; Fri, 17 Jan 2020 22:51:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=cmpwn.com; s=cmpwn; t=1579301483; bh=kTQMjBylRqgsCasyXMiW6eYnMNTYhNzCT5qdSWBzfxM=; h=In-Reply-To:Date:Cc:Subject:From:To; b=Q5pAdDlcKyFtZMc0kh43btWLLn20oH7B6yHT240vZf8G3E9EodYOF1wexOxHJuvq7 gADNKVw2AzvJzNy+wZaZUDas6ctALgFKVqRacvkL7HT/n2/03qoxa9HhMiqmJ09f8a T5oA0dRGwS3YTQ0/T+7v2x+/4G95TCInLLLKG3yY= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 In-Reply-To: <20200118001927.3492f70d@vostro.lan> Date: Fri, 17 Jan 2020 17:48:52 -0500 Cc: "Natanael Copa" , <~alpine/devel@lists.alpinelinux.org> Subject: Re: repo pinning, whether to include repository name in pkg [was Re: new package format and repository layout changes] From: "Drew DeVault" To: "Timo Teras" Message-Id: On Sat Jan 18, 2020 at 12:19 AM, Timo Teras wrote: > > Still NACK on signing the repo name. Signed data should be autonomous > > of its original source, so long as it's signed it doesn't matter how > > it got to you. > > Would you be able to give some reasoning, arguments or use-cases why > you think this is the correct approach? The whole point of cryptographic signing is to be able to move packages over an untrusted medium without ill effect. Should we also sign the mirror URL? I don't think so. What if someone wants to stand up a new mirror, do they really need us to intervene and agree to set up a key for them? Consider for example that I run Alpine CI on builds.sr.ht. What if I want to cache downloaded packages on the LAN for faster builds by adding a "magic" repo? These kinds of use-cases ought to be supported. If the package contents are signed by a trusted key, it's legit. Doesn't matter where it came from.