1 |
-----BEGIN PGP SIGNED MESSAGE-----
|
2 |
Hash: SHA512
|
3 |
|
4 |
On Thu, 16 Jul 2015 21:13:09 -0400
|
5 |
NP-Hardass <NP-Hardass@g.o> wrote:
|
6 |
|
7 |
> -----BEGIN PGP SIGNED MESSAGE----- |
8 |
> Hash: SHA256 |
9 |
> |
10 |
> Not sure if this has been covered in some of the rather long chains of |
11 |
> late, but I was thinking about GPG signing, and how the proposed |
12 |
> workflow requires every developer to sign their commits. Currently, |
13 |
> it's advised that every manifest be signed. As far as I know, there |
14 |
> are a number that are not. When a manifest is signed, the author is |
15 |
> saving a state, and providing a means to check it has not changed. |
16 |
> |
17 |
> Additionally, I feel that a signature is a means of acknowledging that |
18 |
> a package has been looked over, and that developer has stated that |
19 |
> they approve of the existing state. I'm not sure if others agree with |
20 |
> that sentiment, but if anyone does, my question is, how does the |
21 |
> conversion process to git handle these packages, where the manifests |
22 |
> are not signed. Is there an intention to blanket cover all packages |
23 |
> when we switch to git? Will these packages be copied over directly |
24 |
> and still maintain their unsigned manifest (I think this is unlikely |
25 |
> as I read that there would be a switch to thin manifests, requiring |
26 |
> regeneration)? If the community doesn't view the signature of the |
27 |
> manifest as I just described, then a blanket signing would be fine. |
28 |
> |
29 |
> Would appreciate your thoughts either way, as I could be overthinking |
30 |
> the issue :P |
31 |
> |
32 |
> - -- |
33 |
> NP-Hardass |
34 |
|
35 |
|
36 |
No, with the git working tree, we will switch to thin manifests and the
|
37 |
entire commit will be signed. Not only that, but the push to the main
|
38 |
server will also be signed (a push may contain commits signed by a
|
39 |
different person that the person pushing).
|
40 |
|
41 |
For the regular rsync tree, Full manifests will be regenerated as
|
42 |
needed and signed by a common infra supplied gpg key. So for general
|
43 |
users, it will be easy to verify without having all gentoo devs gpg
|
44 |
keys. That will be different for users of the git tree.
|
45 |
|
46 |
|
47 |
- --
|
48 |
Brian Dolbec <dolsen>
|
49 |
|
50 |
-----BEGIN PGP SIGNATURE-----
|
51 |
Version: GnuPG v2.1
|
52 |
|
53 |
iQJ8BAEBCgBmBQJVqFmVXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
|
54 |
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNUQ3Qzc0RTA4MUNDNzBEQjRBNEFBRjVG
|
55 |
QkJEMDg3Mjc1ODIwRUQ4AAoJEPu9CHJ1gg7YAbQQAIACEYKfijcCZDaNnTBZTrzx
|
56 |
K47Nqx/0MRKKCF2LPTyMeiJ+RMAuGeuFFomNdxGxYAn+XxfP0PUefIXv7AJDwemV
|
57 |
NUX60tvYXd2x6xnBoDp0AfPsEBewWW50pVMK5UI1tGHUh0Ba5fGA7fyuoi0SyW4/
|
58 |
lRl4RoejhBZw5JWrecv4aDSBWa18wyJ9hUmoF5/cboHZlOBPtsskb+IQjeq3M3Dw
|
59 |
efn+cXJ90eR8QE4IO6y9wIuIZG0Dla4yD13XMzolPyBNfJh7qizWNryw4guVY5mf
|
60 |
/2wD/M1Adbgf0CuM8SXL0JeoO063Pqs8WVIEBb5M0yY04eB3b7JpBi5mZvk2RS4y
|
61 |
DVSd0MB+vK8WzSo/NrhYqqDJTY5ezYUnu8XW5GiLEk0eHMiP/Hh36cDU+eGfTVX9
|
62 |
vMYaYHS/15cN+8bhfs3SC7kLv7MdhG8Ye7UDyiWUrgbH19yzte8ExjyV3/oEoXOH
|
63 |
6Ng1OxGPozAhkwUB0hGNqWgWJ+n5FNYdTg3wtbPBeZmB/0sn7tkZRDy6aeg60Kfm
|
64 |
ytGCJXHGynkKunaLQCzRZVQ3Ywq1sqOHwUnlcbTMpCoZwR7TJ59BCIZs3J8kG14Z
|
65 |
B5DopEyfs8NEgNLXUd4thG7Pw7TXWxSXvo/m7+/vLuCmBfSNW8frF/5QADxNfnqR
|
66 |
Va2Sp8HY8ZElj+ug3G7W
|
67 |
=pfay
|
68 |
-----END PGP SIGNATURE----- |