PEAR Package Release Protocol RFC

Summary: Adding a command to pyrus to release packages through a supporting pear channel.

ala - pyrus push MyPackage-x.x.x.tgz

I'd like a new protocol added to the channels that would indicate if a channel supported remotely pushing releases. This would be in the channel.xml file and would be indicated by something like

    <baseurl type="RELEASEUPLOAD1.0"></baseurl>

Protocol overview:

  1. The client sends a pre-flight request, containing the releasing maintainer's handle and the package name.
  2. The channel issues a one-time ticket for the release.
  3. The client then sends the release, ssh encrypted to the server, along with the ticket they were issued.
  4. The server receives the release and checks the ticket, decrypts with the user's public key, and then runs a simplechannelserver release command.

Finer points, The ticket issuing would allow the channel to make a decision if that user can release the specified package either by checking a list of admins, or existing package leads.

The openssl encryption seems like a good way to handle releases. Storing the public keys on the channel would be necessary.

Tickets expire quickly, are random, and are good only once.

pear/rfc/pear_package_release_protocol.txt · Last modified: 2012/02/15 09:27 by cweiske