| 1 |
-----BEGIN PGP SIGNED MESSAGE-----
|
| 2 |
Hash: SHA512
|
| 3 |
|
| 4 |
On Thu, 16 Jul 2015 21:13:09 -0400
|
| 5 |
NP-Hardass <NP-Hardass@g.o> wrote:
|
| 6 |
|
| 7 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 8 |
> Hash: SHA256 |
| 9 |
> |
| 10 |
> Not sure if this has been covered in some of the rather long chains of |
| 11 |
> late, but I was thinking about GPG signing, and how the proposed |
| 12 |
> workflow requires every developer to sign their commits. Currently, |
| 13 |
> it's advised that every manifest be signed. As far as I know, there |
| 14 |
> are a number that are not. When a manifest is signed, the author is |
| 15 |
> saving a state, and providing a means to check it has not changed. |
| 16 |
> |
| 17 |
> Additionally, I feel that a signature is a means of acknowledging that |
| 18 |
> a package has been looked over, and that developer has stated that |
| 19 |
> they approve of the existing state. I'm not sure if others agree with |
| 20 |
> that sentiment, but if anyone does, my question is, how does the |
| 21 |
> conversion process to git handle these packages, where the manifests |
| 22 |
> are not signed. Is there an intention to blanket cover all packages |
| 23 |
> when we switch to git? Will these packages be copied over directly |
| 24 |
> and still maintain their unsigned manifest (I think this is unlikely |
| 25 |
> as I read that there would be a switch to thin manifests, requiring |
| 26 |
> regeneration)? If the community doesn't view the signature of the |
| 27 |
> manifest as I just described, then a blanket signing would be fine. |
| 28 |
> |
| 29 |
> Would appreciate your thoughts either way, as I could be overthinking |
| 30 |
> the issue :P |
| 31 |
> |
| 32 |
> - -- |
| 33 |
> NP-Hardass |
| 34 |
|
| 35 |
|
| 36 |
No, with the git working tree, we will switch to thin manifests and the
|
| 37 |
entire commit will be signed. Not only that, but the push to the main
|
| 38 |
server will also be signed (a push may contain commits signed by a
|
| 39 |
different person that the person pushing).
|
| 40 |
|
| 41 |
For the regular rsync tree, Full manifests will be regenerated as
|
| 42 |
needed and signed by a common infra supplied gpg key. So for general
|
| 43 |
users, it will be easy to verify without having all gentoo devs gpg
|
| 44 |
keys. That will be different for users of the git tree.
|
| 45 |
|
| 46 |
|
| 47 |
- --
|
| 48 |
Brian Dolbec <dolsen>
|
| 49 |
|
| 50 |
-----BEGIN PGP SIGNATURE-----
|
| 51 |
Version: GnuPG v2.1
|
| 52 |
|
| 53 |
iQJ8BAEBCgBmBQJVqFmVXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
|
| 54 |
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNUQ3Qzc0RTA4MUNDNzBEQjRBNEFBRjVG
|
| 55 |
QkJEMDg3Mjc1ODIwRUQ4AAoJEPu9CHJ1gg7YAbQQAIACEYKfijcCZDaNnTBZTrzx
|
| 56 |
K47Nqx/0MRKKCF2LPTyMeiJ+RMAuGeuFFomNdxGxYAn+XxfP0PUefIXv7AJDwemV
|
| 57 |
NUX60tvYXd2x6xnBoDp0AfPsEBewWW50pVMK5UI1tGHUh0Ba5fGA7fyuoi0SyW4/
|
| 58 |
lRl4RoejhBZw5JWrecv4aDSBWa18wyJ9hUmoF5/cboHZlOBPtsskb+IQjeq3M3Dw
|
| 59 |
efn+cXJ90eR8QE4IO6y9wIuIZG0Dla4yD13XMzolPyBNfJh7qizWNryw4guVY5mf
|
| 60 |
/2wD/M1Adbgf0CuM8SXL0JeoO063Pqs8WVIEBb5M0yY04eB3b7JpBi5mZvk2RS4y
|
| 61 |
DVSd0MB+vK8WzSo/NrhYqqDJTY5ezYUnu8XW5GiLEk0eHMiP/Hh36cDU+eGfTVX9
|
| 62 |
vMYaYHS/15cN+8bhfs3SC7kLv7MdhG8Ye7UDyiWUrgbH19yzte8ExjyV3/oEoXOH
|
| 63 |
6Ng1OxGPozAhkwUB0hGNqWgWJ+n5FNYdTg3wtbPBeZmB/0sn7tkZRDy6aeg60Kfm
|
| 64 |
ytGCJXHGynkKunaLQCzRZVQ3Ywq1sqOHwUnlcbTMpCoZwR7TJ59BCIZs3J8kG14Z
|
| 65 |
B5DopEyfs8NEgNLXUd4thG7Pw7TXWxSXvo/m7+/vLuCmBfSNW8frF/5QADxNfnqR
|
| 66 |
Va2Sp8HY8ZElj+ug3G7W
|
| 67 |
=pfay
|
| 68 |
-----END PGP SIGNATURE----- |
Archives