1 |
>>>>> On Tue, 06 Oct 2020, Michał Górny wrote: |
2 |
|
3 |
> verify-sig eclass provides a streamlined approach to verifying upstream |
4 |
> signatures on distfiles. Its primary purpose is to permit developers |
5 |
> to easily verify signatures while bumping packages. The eclass removes |
6 |
> the risk of developer forgetting to perform the verification, |
7 |
> or performing it incorrectly, e.g. due to additional keys in the local |
8 |
> keyring. It also permits users to verify the developer's work. |
9 |
|
10 |
We've already discussed it in #-qa, and I still think that this is |
11 |
over-engineered. Users can validate the distfile by the Manifest and its |
12 |
signature, so exposing the feature to users is redundant. |
13 |
|
14 |
Ulrich |