Re: [equinox-dev] Best way to contribute values (eg PGP keys) with OSGi?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [equinox-dev] Best way to contribute values (eg PGP keys) with OSGi?

From: Christoph Läubrich <laeubi@xxxxxxxxxxxxxx>
Date: Wed, 1 Dec 2021 17:01:03 +0100
Delivered-to: equinox-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/equinox-dev/>
List-help: <mailto:equinox-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0

I don't get exactly how this is supposed to work.

If I trust a bundle it should automatically lead to trusting others aswell? Shouldn't this work through a key that contains trust info forother keys like described here: [1]

I think this all is already covered by the concept of key-servers so whydon't we leverage these?

Anyways if we just want to reinvent the wheel once again, a servicewon't suffice I think as it requires a bundle to be in STARTING/STARTEDstate and seems a way to oversized here.

If we just want a bundle to carry a public PGP key (with possible signedcontent by others) I would simply use convention over configuration andplace a public.pgp in the root of the bundle as such bundle entriescould be accessed even in installed state.


[1] https://en.wikipedia.org/wiki/Web_of_trust

Am 01.12.21 um 16:42 schrieb Mickael Istria:

Hi all,
In the context of https://bugs.eclipse.org/bugs/show_bug.cgi?id=577248<https://bugs.eclipse.org/bugs/show_bug.cgi?id=577248> , we need a wayfor bundles (that were preliminary approved by user) to be capable ofcontributing some PGP public keys as being "trusted by default". I'mwondering what would be the best way to contribute such extensibility inp2. p2 doesn't define extension points, but uses OSGi Services; but herewe only want to contribute a value (that could be the armoured keys, ora path to a resource in the bundle containing such keys...). As far as Iam aware -ie not much-, I see 3 possible approaches:
1. Define a service interface and let bundles contribute extensions tothis interface, eg via OSGI-INF/component.xml
   * Requires to create 1 service/API interace
* Would consuming the service from a bundle automatically triggerbundle activation? That would be undesired.
2. Add support for a custom MANIFEST header, something like`Eclipse-P2-PGP-TrustedKey`.
   * Seems a bit alien, would require some support in tools

Are there other solutions you think could fit? What should be preferred?

Thanks in advance
--
Mickael Istria
Eclipse IDE <https://www.eclipse.org/eclipseide> developer, for Red HatDevelopers <https://developers.redhat.com/>
_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/equinox-dev

References:
- [equinox-dev] Best way to contribute values (eg PGP keys) with OSGi?
  - From: Mickael Istria

Prev by Date: [equinox-dev] Best way to contribute values (eg PGP keys) with OSGi?
Next by Date: Re: [equinox-dev] [p2-dev] Best way to contribute values (eg PGP keys) with OSGi?
Previous by thread: [equinox-dev] Best way to contribute values (eg PGP keys) with OSGi?
Next by thread: Re: [equinox-dev] [p2-dev] Best way to contribute values (eg PGP keys) with OSGi?
Index(es):
- Date
- Thread

Breadcrumbs