| 1 |
>>>>> On Tue, 06 Oct 2020, Michał Górny wrote: |
| 2 |
|
| 3 |
> On Tue, 2020-10-06 at 13:34 +0200, Ulrich Mueller wrote: |
| 4 |
>> > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: |
| 5 |
>> > On Tue, 2020-10-06 at 13:18 +0200, Ulrich Mueller wrote: |
| 6 |
>> > > > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: |
| 7 |
>> > > > +IUSE="+verify-sig" |
| 8 |
>> > > |
| 9 |
>> > > At least don't enable this by default. The feature increases |
| 10 |
>> > > build time and has little (if any) benefits. |
| 11 |
>> > Do you have any numbers to back this claim? |
| 12 |
>> |
| 13 |
>> That's a strange question. Obviously build time can only increase if |
| 14 |
>> you install an additional dependency and download an additional |
| 15 |
>> distfile. |
| 16 |
|
| 17 |
> But how significant is the increase? Can you actually measure it |
| 18 |
> without trying hard to make things slow? |
| 19 |
|
| 20 |
IMHO it has no benefit at all for users, because distfile integrity is |
| 21 |
already guaranteed by digests. So this is a second and redundant method. |
| 22 |
On the other hand, it causes download of additional distfiles which may |
| 23 |
not be wanted by most users. |
| 24 |
|
| 25 |
> If you are going to claim that it outweighs the 'little' benefit, you |
| 26 |
> need to try harder than that. |
| 27 |
|
| 28 |
No. You are the one who wants to introduce a new feature, so it's up to |
| 29 |
you to motivate why (and how) adding a redundant method of distfile |
| 30 |
verification would make things more secure on the users' side. |
| 31 |
|
| 32 |
It is one thing to have this as a convenience eclass for developers |
| 33 |
(though I still think it's over-engineered), but another thing to make |
| 34 |
it the default for all users. |
| 35 |
|
| 36 |
Ulrich |
Archives