On Fri, Feb 20, 2009 at 11:50:07AM +0100, Robert Buchholz wrote:
> On Friday 20 February 2009, Robin H. Johnson wrote:
> > Remember that Portage will only verify hashes that exist in the file.
> > If they aren't in the file, they don't get verified. The fix you
> > describe is unneeded.
> If you use FEATURES=digest, Portage ignores missing lines or errors in 
> the Manifest completely. So either overlays must ship full Manifests or 
> Portage would need a feature to fix slim Manifests.
[snip some paragraphs missing the point].
Portage needs minor changes for slim Manifests anyway: specifically, to
check the files against the Git index rather than the Manifest. It's NOT
that the files from the tree directly are unsigned, but rather that
their digests/signatures exist in Git instead of the Manifest.

The commits in the Git tree should be signed anyway to increase
security.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@g.o
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85