Tools with signatures
Tim Penhey
tim.penhey at canonical.com
Mon Apr 8 04:08:14 UTC 2013
Hi all,
I have a task card that I don't feel confident starting without more
understanding of the problem, and how the solution would help with that.
And how the tool release process would work with this too.
Firstly, which is the problem that we are trying to solve?
* We have an unmodified tarball as it was defined at the source
* The tools are from a trusted source
The traditional method for the first is to provide an md5 (or other)
hash that you can grab as well as the source file. However if we are
trying to solve the second problem, this doesn't help.
So my first question really is what problem are we trying to solve?
How will this differ between tools from a public bucket, and those that
are uploaded locally?
Who is considered trusted? How would we sign the tools to ensure that
they come from us? I can think of several ways, but I'd prefer to hear
some others input first.
Tim
More information about the Juju-dev
mailing list