| 1 |
On Wednesday 07 December 2005 04:04, Marius Mauch wrote: |
| 2 |
> As stated in the GLEP, gpg is outside the scope of this. As for the |
| 3 |
> questions, per entry sigs would invert one of the main goals (size |
| 4 |
> reduction). And so far I haven't seen any sufficient answer to |
| 5 |
> questions I raised on -core and -portage-dev regarding the |
| 6 |
> transaction/stacked/fragmented/whatever-you-want-to-call-it Manifest |
| 7 |
> signing proposed by Robin, so I'm still quite against it. |
| 8 |
|
| 9 |
Per entry sigs make no sense in the current design. All ebuilds can touch |
| 10 |
all files, and so the complete manifest should be verified. This means |
| 11 |
that the whole manifest should be signed. |
| 12 |
|
| 13 |
Having said that, I would like to argue that this GLEP be implemented only |
| 14 |
together with gpg signing the manifest. Doing otherwise would require |
| 15 |
another change in the manifest format in a short time. If the manifest |
| 16 |
format has optional signing that would also be ok. Just align the |
| 17 |
requirements and make manifest2 and the gpg signing of it compatible. |
| 18 |
|
| 19 |
Paul |
| 20 |
|
| 21 |
-- |
| 22 |
Paul de Vrieze |
| 23 |
Gentoo Developer |
| 24 |
Mail: pauldv@g.o |
| 25 |
Homepage: http://www.devrieze.net |
Archives