On Sun, Apr 12, 2009 at 02:37:42AM -0400, Caleb Cushing wrote:
> I'm aware of the point of thin-Manifests (It's a long time running
> conversation), however it seems to be something more to the order of
> usage for distribution, in other words, overlays and tree's like
> regen2's and funtoo's. if you aren't distributing the tree for user
> consumption... then you'll still have to generate full manifests for
> rsync, it would seem easy and more space, processor effective to make
> it like metadata and cron generation, dev's don't really need them
> when hacking ebuilds do they? they're just a security/integrity
> measure for end users. I suppose the reason for devs to use them is
> they would be using the git tree to update their own systems.
Not having any Manifests in Git would mean that the DIST entry needs to
be generated at the point that the rest of the Manifest is built.
That requires IO time, as well as having all distfiles on that machine.
Some distfiles are restricted in various ways, so that they may NOT be
present on our mirrors, and so we don't want to force developers to have
to upload them just for generating the DIST entry.

Known security of the DIST entries is important as well. If the
developer commits the DIST entry, and signs it, we know that barring
hash attacks, it has not been modified.

Generating the Manifest entries for non-DIST bits is trivial, and with
Git, requires zero actual hashing, just extract the data from the Git
index as I say. It's the DIST ones that this is not possible for.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@g.o
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85