1 |
On Wed, 7 Dec 2005 16:15:49 +0100 |
2 |
Paul de Vrieze <pauldv@g.o> wrote: |
3 |
|
4 |
> On Wednesday 07 December 2005 04:04, Marius Mauch wrote: |
5 |
> > As stated in the GLEP, gpg is outside the scope of this. As for the |
6 |
> > questions, per entry sigs would invert one of the main goals (size |
7 |
> > reduction). And so far I haven't seen any sufficient answer to |
8 |
> > questions I raised on -core and -portage-dev regarding the |
9 |
> > transaction/stacked/fragmented/whatever-you-want-to-call-it Manifest |
10 |
> > signing proposed by Robin, so I'm still quite against it. |
11 |
> |
12 |
> Per entry sigs make no sense in the current design. All ebuilds can |
13 |
> touch all files, and so the complete manifest should be verified. |
14 |
> This means that the whole manifest should be signed. |
15 |
> |
16 |
> Having said that, I would like to argue that this GLEP be implemented |
17 |
> only together with gpg signing the manifest. Doing otherwise would |
18 |
> require another change in the manifest format in a short time. If the |
19 |
> manifest format has optional signing that would also be ok. Just |
20 |
> align the requirements and make manifest2 and the gpg signing of it |
21 |
> compatible. |
22 |
|
23 |
Signing is already implemented and independent of the Manifest |
24 |
format. It's just not yet mandatory due to the missing key policy. |
25 |
|
26 |
Marius |
27 |
|
28 |
-- |
29 |
Public Key at http://www.genone.de/info/gpg-key.pub |
30 |
|
31 |
In the beginning, there was nothing. And God said, 'Let there be |
32 |
Light.' And there was still nothing, but you could see a bit better. |