| 1 |
Torsten Veller dixit (2011-03-25, 08:15): |
| 2 |
|
| 3 |
> * Mike Frysinger <vapier@g.o>: |
| 4 |
> > On Thu, Mar 24, 2011 at 8:09 PM, Antoni Grzymala wrote: |
| 5 |
> [Manifest signing] |
| 6 |
> > > Does that get us any closer to GLEPs 57, 58, 59 (or generally |
| 7 |
> > > approaching the tree-signing/verifying group of problems)? |
| 8 |
> > |
| 9 |
> > yes |
| 10 |
> |
| 11 |
> I think, it's a "no". |
| 12 |
> The MetaManifest GLEP relies on a signed top-level "MetaManifest" which |
| 13 |
> hashes all sub Manifests, whether they are signed or not doesn't matter. |
| 14 |
> |
| 15 |
> I don't see a major advantage to signed portage snapshots we already |
| 16 |
> offer today. |
| 17 |
|
| 18 |
It's just that for everyday use we (perspective of users, possibly |
| 19 |
only me) would like to have the ability of easy and automated |
| 20 |
verifying of Manifest GPG signatures whether we (r)sync, webrsync or |
| 21 |
use a manually downloaded snapshot, with same level of assurance as in |
| 22 |
other major distros (Debian, RH). |
| 23 |
|
| 24 |
Regards, |
| 25 |
|
| 26 |
-- |
| 27 |
[a] |
Archives