PEAR Package Release Protocol RFC
Summary: Adding a command to pyrus to release packages through a supporting pear channel.
ala - pyrus push MyPackage-x.x.x.tgz
I'd like a new protocol added to the channels that would indicate if a channel supported remotely pushing releases. This would be in the channel.xml file and would be indicated by something like
<releaseupload> <baseurl type="RELEASEUPLOAD1.0">http://pear2.php.net/push</baseurl> </releaseupload>
- The client sends a pre-flight request, containing the releasing maintainer's handle and the package name.
- The channel issues a one-time ticket for the release.
- The client then sends the release, ssh encrypted to the server, along with the ticket they were issued.
- The server receives the release and checks the ticket, decrypts with the user's public key, and then runs a simplechannelserver release command.
Finer points, The ticket issuing would allow the channel to make a decision if that user can release the specified package either by checking a list of admins, or existing package leads.
The openssl encryption seems like a good way to handle releases. Storing the public keys on the channel would be necessary.
Tickets expire quickly, are random, and are good only once.