On Sun, Apr 12, 2009 at 12:07 PM, Caleb Cushing <xenoterracide@...> wrote:
> I'm aware of the point of thin-Manifests (It's a long time running
> conversation), however it seems to be something more to the order of
> usage for distribution, in other words, overlays and tree's like
> regen2's and funtoo's. if you aren't distributing the tree for user
> consumption... then you'll still have to generate full manifests for
> rsync, it would seem easy and more space, processor effective to make
> it like metadata and cron generation, dev's don't really need them
> when hacking ebuilds do they? they're just a security/integrity
> measure for end users. I suppose the reason for devs to use them is
> they would be using the git tree to update their own systems.
>

Signed DIST manifests mean the developer has committed the ebuild for
a specific distfile, and if the distfile is then tampered with (on
gentoo mirrors/upstream mirrors), it'll be noticed immediately.
However, if the DIST manifests are generated like metadata, it gives a
window for mischief, and no one would notice that the distfile used
for making the ebuild and the one being distributed to users is
different


-- 
~Nirbheek Chauhan