1 |
On 3/24/11 10:59 PM, Mike Frysinger wrote: |
2 |
> is there any reason we should allow people to commit unsigned |
3 |
> Manifest's anymore ? generating/posting/enabling a gpg key is |
4 |
> ridiculously easy and there's really no excuse for a dev to not have |
5 |
> done this already. |
6 |
|
7 |
Firstly, I'm excited we're moving towards a signed portage tree. |
8 |
|
9 |
We can start with a repoman warning (yellow) and a transition period. |
10 |
|
11 |
> when i look at the tree, the signed stats are stupid low: |
12 |
> $ find *-* -maxdepth 2 -name Manifest | wc -l |
13 |
> 14438 |
14 |
> $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP |
15 |
> SIGNATURE' {} + | wc -l |
16 |
> 6032 |
17 |
|
18 |
If I'm interpreting the data correctly, about 43% of Manifest files are |
19 |
signed. That's not too bad, I was expecting something more like 5%. |
20 |
|
21 |
By the way, is it acceptable to use the same GPG key for e-mail and |
22 |
signing packages? |
23 |
|
24 |
Paweł Hajdan, Jr. |