1 |
On Sun, Apr 12, 2009 at 12:07 PM, Caleb Cushing <xenoterracide@×××××.com> wrote: |
2 |
> I'm aware of the point of thin-Manifests (It's a long time running |
3 |
> conversation), however it seems to be something more to the order of |
4 |
> usage for distribution, in other words, overlays and tree's like |
5 |
> regen2's and funtoo's. if you aren't distributing the tree for user |
6 |
> consumption... then you'll still have to generate full manifests for |
7 |
> rsync, it would seem easy and more space, processor effective to make |
8 |
> it like metadata and cron generation, dev's don't really need them |
9 |
> when hacking ebuilds do they? they're just a security/integrity |
10 |
> measure for end users. I suppose the reason for devs to use them is |
11 |
> they would be using the git tree to update their own systems. |
12 |
> |
13 |
|
14 |
Signed DIST manifests mean the developer has committed the ebuild for |
15 |
a specific distfile, and if the distfile is then tampered with (on |
16 |
gentoo mirrors/upstream mirrors), it'll be noticed immediately. |
17 |
However, if the DIST manifests are generated like metadata, it gives a |
18 |
window for mischief, and no one would notice that the distfile used |
19 |
for making the ebuild and the one being distributed to users is |
20 |
different |
21 |
|
22 |
|
23 |
-- |
24 |
~Nirbheek Chauhan |