[ocaml-platform] OPAM: signing the repository
Thomas Gazagnaire
thomas at gazagnaire.org
Mon Aug 10 15:36:32 BST 2015
Great proposal! I just have some minor comments:
- it would help to explain somewhere (and if possible early in the document) what does it mean to sign a file, i.e. adding a field "signature". The "Signed files and tags" explain part of the process, but without explicitly saying anything.
- also it was not totally clear to me at first read that the Linearity condition is a kind of "custom policy checking", where the custom policy is actually quite different of what the default TUF specification. i.e., the snapshot bot should know and apply a policy set by the repository maintainers (which can change over time).
Let me know if you need something special in ocaml-git (such as more support for annotated tags) to implement the proposal.
Best,
Thomas
> On 8 Jun 2015, at 03:52, Louis Gesbert <louis.gesbert at ocamlpro.com> wrote:
>
> I just added an issue to track the needed improvements to the specification arising from the discussions here [1]. Please keep the discussion in the ML for now :) -- and thanks for the feedback!
>
> [1] https://github.com/ocaml/opam/issues/2182
>
> Louis
> _______________________________________________
> Platform mailing list
> Platform at lists.ocaml.org
> http://lists.ocaml.org/listinfo/platform
More information about the Platform
mailing list