| 1 |
On 3/24/11 10:59 PM, Mike Frysinger wrote: |
| 2 |
> is there any reason we should allow people to commit unsigned |
| 3 |
> Manifest's anymore ? generating/posting/enabling a gpg key is |
| 4 |
> ridiculously easy and there's really no excuse for a dev to not have |
| 5 |
> done this already. |
| 6 |
|
| 7 |
Firstly, I'm excited we're moving towards a signed portage tree. |
| 8 |
|
| 9 |
We can start with a repoman warning (yellow) and a transition period. |
| 10 |
|
| 11 |
> when i look at the tree, the signed stats are stupid low: |
| 12 |
> $ find *-* -maxdepth 2 -name Manifest | wc -l |
| 13 |
> 14438 |
| 14 |
> $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP |
| 15 |
> SIGNATURE' {} + | wc -l |
| 16 |
> 6032 |
| 17 |
|
| 18 |
If I'm interpreting the data correctly, about 43% of Manifest files are |
| 19 |
signed. That's not too bad, I was expecting something more like 5%. |
| 20 |
|
| 21 |
By the way, is it acceptable to use the same GPG key for e-mail and |
| 22 |
signing packages? |
| 23 |
|
| 24 |
Paweł Hajdan, Jr. |
Archives