Draft manifest format specification.
acahalan at gmail.com
Tue Aug 14 23:13:41 EDT 2007
C. Scott Ananian writes:
> I have added a draft manifest specification to the wiki at:
> There is not yet consensus on this specification; it shouldn't be
> viewed as final by any means.
First, regarding the document itself: It appears that you are using
some undefined regexp or BNF type of thing, but the reader may
guess the syntax wrongly. At times I think you might mean for
something to be taken literally, but I can't be fully sure.
Second, regarding the format itself. It seems to not be needed.
You're introducing redundant info, which is almost always bad
for security. The file archive itself contains the list of files.
If you want to keep a list around (you shouldn't), you can make
a copy of that list when the bundle is installed.
Hard linking via this mechanism is quite exploitable. For linking
within a bundle, the easy answer is to STOP USING ZIP. At least
allow a standard Linux archiver (tar, cpio, or pax) as an alternative
to that crufty old DOS archiver. Across bundles, you need something
other than hard links, and you'll need a real hero if you expect it
to work any time soon. Perhaps someday, there will be a flash
filesystem driver that supports copy-on-write file blocks as a way
to do compression.
For signing and all, doesn't gpg provide a standard way to do this?
As far as I can tell, you just need to ship the public keys allowed
for future upgrades in the archive and then sign the whole archive.
More information about the Devel