| 1 |
On Wed, 7 Dec 2005 16:15:49 +0100 |
| 2 |
Paul de Vrieze <pauldv@g.o> wrote: |
| 3 |
|
| 4 |
> On Wednesday 07 December 2005 04:04, Marius Mauch wrote: |
| 5 |
> > As stated in the GLEP, gpg is outside the scope of this. As for the |
| 6 |
> > questions, per entry sigs would invert one of the main goals (size |
| 7 |
> > reduction). And so far I haven't seen any sufficient answer to |
| 8 |
> > questions I raised on -core and -portage-dev regarding the |
| 9 |
> > transaction/stacked/fragmented/whatever-you-want-to-call-it Manifest |
| 10 |
> > signing proposed by Robin, so I'm still quite against it. |
| 11 |
> |
| 12 |
> Per entry sigs make no sense in the current design. All ebuilds can |
| 13 |
> touch all files, and so the complete manifest should be verified. |
| 14 |
> This means that the whole manifest should be signed. |
| 15 |
> |
| 16 |
> Having said that, I would like to argue that this GLEP be implemented |
| 17 |
> only together with gpg signing the manifest. Doing otherwise would |
| 18 |
> require another change in the manifest format in a short time. If the |
| 19 |
> manifest format has optional signing that would also be ok. Just |
| 20 |
> align the requirements and make manifest2 and the gpg signing of it |
| 21 |
> compatible. |
| 22 |
|
| 23 |
Signing is already implemented and independent of the Manifest |
| 24 |
format. It's just not yet mandatory due to the missing key policy. |
| 25 |
|
| 26 |
Marius |
| 27 |
|
| 28 |
-- |
| 29 |
Public Key at http://www.genone.de/info/gpg-key.pub |
| 30 |
|
| 31 |
In the beginning, there was nothing. And God said, 'Let there be |
| 32 |
Light.' And there was still nothing, but you could see a bit better. |
Archives