1 |
On Wednesday 07 December 2005 04:04, Marius Mauch wrote: |
2 |
> As stated in the GLEP, gpg is outside the scope of this. As for the |
3 |
> questions, per entry sigs would invert one of the main goals (size |
4 |
> reduction). And so far I haven't seen any sufficient answer to |
5 |
> questions I raised on -core and -portage-dev regarding the |
6 |
> transaction/stacked/fragmented/whatever-you-want-to-call-it Manifest |
7 |
> signing proposed by Robin, so I'm still quite against it. |
8 |
|
9 |
Per entry sigs make no sense in the current design. All ebuilds can touch |
10 |
all files, and so the complete manifest should be verified. This means |
11 |
that the whole manifest should be signed. |
12 |
|
13 |
Having said that, I would like to argue that this GLEP be implemented only |
14 |
together with gpg signing the manifest. Doing otherwise would require |
15 |
another change in the manifest format in a short time. If the manifest |
16 |
format has optional signing that would also be ok. Just align the |
17 |
requirements and make manifest2 and the gpg signing of it compatible. |
18 |
|
19 |
Paul |
20 |
|
21 |
-- |
22 |
Paul de Vrieze |
23 |
Gentoo Developer |
24 |
Mail: pauldv@g.o |
25 |
Homepage: http://www.devrieze.net |