| 1 |
>>>>> On Tue, 06 Oct 2020, Michał Górny wrote: |
| 2 |
|
| 3 |
> verify-sig eclass provides a streamlined approach to verifying upstream |
| 4 |
> signatures on distfiles. Its primary purpose is to permit developers |
| 5 |
> to easily verify signatures while bumping packages. The eclass removes |
| 6 |
> the risk of developer forgetting to perform the verification, |
| 7 |
> or performing it incorrectly, e.g. due to additional keys in the local |
| 8 |
> keyring. It also permits users to verify the developer's work. |
| 9 |
|
| 10 |
We've already discussed it in #-qa, and I still think that this is |
| 11 |
over-engineered. Users can validate the distfile by the Manifest and its |
| 12 |
signature, so exposing the feature to users is redundant. |
| 13 |
|
| 14 |
Ulrich |
Archives