| 1 |
On Thu, 11 Nov 2004 13:31:14 -0700 |
| 2 |
"Glen Combe" <gcombe@×××××××××××.us> wrote: |
| 3 |
|
| 4 |
> Kurt. |
| 5 |
> |
| 6 |
> Detail of time and implemention is what I have in mind. I sense you |
| 7 |
> might have a good feel for that? Weeks? Months? |
| 8 |
|
| 9 |
Well, first lets see what we're still missing implementation-wise: |
| 10 |
1) checksums/signatures for eclasses, profiles, the "scripts" dir and |
| 11 |
maybe a few others |
| 12 |
2) enforcement for devs to sign their packages |
| 13 |
3) some kind of PKI for portage signing keys |
| 14 |
4) better verification support, the current implementation has a few |
| 15 |
problems (performance sucks and key management is almost completely |
| 16 |
manual) |
| 17 |
5) stuff I forgot to mention here |
| 18 |
|
| 19 |
So now what needs to be done to fix these points: |
| 20 |
1) a) decide how these files are to be signed/verified (one Manifest for |
| 21 |
all eclasses, individual signatures, ...) |
| 22 |
b) modify repoman to work in those dirs (currently it's only for |
| 23 |
package dirs) |
| 24 |
2) a) ensure that *ALL* devs use repoman |
| 25 |
b) change repoman so only signed packages/eclasses/... are committed |
| 26 |
3) not sure |
| 27 |
4) a) find a way to improve gpg performance |
| 28 |
b) add support for 3) |
| 29 |
5) no clue ;) |
| 30 |
|
| 31 |
>From this list, 1a), 2a) and 3) are outside the scope of dev-portage |
| 32 |
(well, we could make an arbitrary decision for 1a), so I can't give any |
| 33 |
estimates for them. I also can't give any estimate for 4a) as I don't |
| 34 |
know if that's possible or 4b) as it depends on 3). So the only points I |
| 35 |
can give any information on are 1b) and 2b): |
| 36 |
1b) shouldn't be too difficult although repoman is tricky piece of |
| 37 |
software, I'd guess it would take a week or so for an initial |
| 38 |
implementation (depends on 1a of course) |
| 39 |
2b) Tricky to do this in a proper way. Pretty much needs real |
| 40 |
transaction support in repoman. A 80% solution is pretty simple though |
| 41 |
(less than a week). I'd need to go into implementation details of |
| 42 |
repoman to completely explain this. |
| 43 |
|
| 44 |
Marius |
| 45 |
|
| 46 |
-- |
| 47 |
Public Key at http://www.genone.de/info/gpg-key.pub |
| 48 |
|
| 49 |
In the beginning, there was nothing. And God said, 'Let there be |
| 50 |
Light.' And there was still nothing, but you could see a bit better. |
Archives