Re: [softwaremgmt] YMP for other distributions.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Vidner wrote: | On Tue, Mar 11, 2008 at 11:31:25AM +0000, Benji Weber wrote: |> Greetings All, |> |> I recently noticed that an Ubuntu specification ThirdPartyApt[0] very |> similar to YMP[1]. |> |> I have since contacted the specification authors - Jerome Haltom and |> Scott Ritchie to enquire about the possibility of cooperating and |> using the same file format. Both were been interested in this |> possibility. Hopefully they will be subscribed to this list now. | | That is great! Indeed :) |> There is also the question of how to distribute the public key for a |> debian repository. As I understand it debian repositories do not |> normally contain the public key as in most openSUSE repositories[5]. |> The .apt format proposal has the public key included in the file. This |> is one possibility, although in my opinion it would be better to have |> it available in the repositories like openSUSE, this would allow other |> mechanisms for adding the repository to locate the key as well. Bear |> in mind that one of the requirements is to keep the file format as |> simple as possible, the less information that is mandatory in the file |> the better. | | <repository> | ... | <pubkey href="http://example.com/p.key"/> | or | <pubkey> | -----BEGIN PGP PUBLIC KEY BLOCK----- | Version: GnuPG v1.4.2.2 (GNU/Linux) | | mQGiBD/G9AgRBACZ519LX9cdoyJA+7gmWC+mUsiyPhnmMWu4uOg0M+vb/JPtDdfc | ... | </pubkey> | or, if not specified, it defaults to the usual suse location, for | backwards compatibility. | </repository> | | Well, reagrding signing the YMPs themselves, we may have a clash | between GPG and XML, I don't know how to resolve that. Indeed. Even if the risk of collisions isn't as high when using a CDATA section: <repository> ~ ... ~ <pubkey><![CDATA[ - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2.2 (GNU/Linux) mQGiBD/G9AgRBACZ519LX9cdoyJA+7gmWC+mUsiyPhnmMWu4uOg0M+vb/JPtDdfc ... ]]> </pubkey> But still. If the ASCII-armoured PGP public key token includes the sequence "]]>" then it will break. What would work is XML escaping the ASCII armoured block. As that inline data is supposed to be processed by a tool that knows the XML format, it can load the PGP public key token as a string (with DOM, SAX, TrAX, whatever) and un-XML-escape before using it. So even in the unlucky event where you'd have something that breaks XML in the armoured PGP key (say, > or < or &...;): <pubkey> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2.2 (GNU/Linux) aaa"<>bbb... ... </pubkey> It would look like this in the file, escaped for XML: <pubkey> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2.2 (GNU/Linux) aaa"quot;<>bbb... ... </pubkey> cheers - -- ~ -o) Pascal Bleser http://linux01.gwdg.de/~pbleser/ ~ /\\ ~ _\_v The more things change, the more they stay insane. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFH2bRzr3NMWliFcXcRAnLzAJ9h3vBDMb6XCEAPsGYOgF6iFBH58wCdE463 uiSgRaG+ceoYauWDvd3pY/U= =gtmF -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-softwaremgmt+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-softwaremgmt+help@opensuse.org