1 |
>>>>> On Tue, 06 Oct 2020, Michał Górny wrote: |
2 |
|
3 |
> On Tue, 2020-10-06 at 13:34 +0200, Ulrich Mueller wrote: |
4 |
>> > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: |
5 |
>> > On Tue, 2020-10-06 at 13:18 +0200, Ulrich Mueller wrote: |
6 |
>> > > > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: |
7 |
>> > > > +IUSE="+verify-sig" |
8 |
>> > > |
9 |
>> > > At least don't enable this by default. The feature increases |
10 |
>> > > build time and has little (if any) benefits. |
11 |
>> > Do you have any numbers to back this claim? |
12 |
>> |
13 |
>> That's a strange question. Obviously build time can only increase if |
14 |
>> you install an additional dependency and download an additional |
15 |
>> distfile. |
16 |
|
17 |
> But how significant is the increase? Can you actually measure it |
18 |
> without trying hard to make things slow? |
19 |
|
20 |
IMHO it has no benefit at all for users, because distfile integrity is |
21 |
already guaranteed by digests. So this is a second and redundant method. |
22 |
On the other hand, it causes download of additional distfiles which may |
23 |
not be wanted by most users. |
24 |
|
25 |
> If you are going to claim that it outweighs the 'little' benefit, you |
26 |
> need to try harder than that. |
27 |
|
28 |
No. You are the one who wants to introduce a new feature, so it's up to |
29 |
you to motivate why (and how) adding a redundant method of distfile |
30 |
verification would make things more secure on the users' side. |
31 |
|
32 |
It is one thing to have this as a convenience eclass for developers |
33 |
(though I still think it's over-engineered), but another thing to make |
34 |
it the default for all users. |
35 |
|
36 |
Ulrich |