From thomas at gazagnaire.org  Mon Aug 10 15:36:32 2015
From: thomas at gazagnaire.org (Thomas Gazagnaire)
Date: Mon, 10 Aug 2015 15:36:32 +0100
Subject: [ocaml-platform] OPAM: signing the repository
In-Reply-To: <1904663.HTdLYqnn9n@agaric>
References: <5571730A.10604@mehnert.org> <1904663.HTdLYqnn9n@agaric>
Message-ID: <11BC58A5-ACE0-41A7-B2E7-600A230872D8@gazagnaire.org>

Great proposal! I just have some minor comments:

- it would help to explain somewhere (and if possible early in the document) what does it mean to sign a file, i.e. adding a field "signature". The "Signed files and tags" explain part of the process, but without explicitly saying anything.

- also it was not totally clear to me at first read that the Linearity condition is a kind of "custom policy checking", where the custom policy is actually quite different of what the default TUF specification. i.e., the snapshot bot should know and apply a policy set by the repository maintainers (which can change over time).

Let me know if you need something special in ocaml-git (such as more support for annotated tags) to implement the proposal.

Best,
Thomas

> On 8 Jun 2015, at 03:52, Louis Gesbert <louis.gesbert at ocamlpro.com> wrote:
> 
> I just added an issue to track the needed improvements to the specification arising from the discussions here [1]. Please keep the discussion in the ML for now :) -- and thanks for the feedback!
> 
> [1] https://github.com/ocaml/opam/issues/2182
> 
> Louis
> _______________________________________________
> Platform mailing list
> Platform at lists.ocaml.org
> http://lists.ocaml.org/listinfo/platform