1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
Not sure if this has been covered in some of the rather long chains of |
5 |
late, but I was thinking about GPG signing, and how the proposed |
6 |
workflow requires every developer to sign their commits. Currently, |
7 |
it's advised that every manifest be signed. As far as I know, there |
8 |
are a number that are not. When a manifest is signed, the author is |
9 |
saving a state, and providing a means to check it has not changed. |
10 |
|
11 |
Additionally, I feel that a signature is a means of acknowledging that |
12 |
a package has been looked over, and that developer has stated that |
13 |
they approve of the existing state. I'm not sure if others agree with |
14 |
that sentiment, but if anyone does, my question is, how does the |
15 |
conversion process to git handle these packages, where the manifests |
16 |
are not signed. Is there an intention to blanket cover all packages |
17 |
when we switch to git? Will these packages be copied over directly |
18 |
and still maintain their unsigned manifest (I think this is unlikely |
19 |
as I read that there would be a switch to thin manifests, requiring |
20 |
regeneration)? If the community doesn't view the signature of the |
21 |
manifest as I just described, then a blanket signing would be fine. |
22 |
|
23 |
Would appreciate your thoughts either way, as I could be overthinking |
24 |
the issue :P |
25 |
|
26 |
- -- |
27 |
NP-Hardass |
28 |
-----BEGIN PGP SIGNATURE----- |
29 |
Version: GnuPG v2 |
30 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
31 |
|
32 |
iQIcBAEBCAAGBQJVqFalAAoJEBzZQR2yrxj7g3YP/3HkK57mPQp2xzcpwUlPHXkM |
33 |
NAXaxO9UBRp2fNFc78Ja//xa8OUL0IDhsjI69uw2QRFILkgOjLo5n91d+KHuXFBc |
34 |
y8BGJ9lkhYgyCy+uztYsKJwUnfINfURv/hFTKPemgO8FVhBHUqyP7Mbz9cck/92p |
35 |
M+Wh12SrMqbTVRAc9ev5aho5hX2WG9fI0ikmX9WqkXo6UuQbc02VD4FdpkYaDhp4 |
36 |
ZzdpwUUGexMgZHgUahLCYTi0WbCCenUFupxGVfYYN7xTz539zbtER2LepfN6vGTw |
37 |
H/mELsg5fU7GbB7LM7XhDyLBgXcwc3zg5L9bRdbWIEVH/YpOaL0ttSX6MLEc3g7/ |
38 |
26aotDjVGNJYcCcM+/GLSv761/MV9FdDe/ZfQSsY51rd1Uv9MjKLnfZf4MjqZ5x6 |
39 |
Fj2Jj7HvdfLdC+MmVNMzXWpkGpyZHoCcy+aES+dBweX3Qhcow4vtj+IKUKRu7R7l |
40 |
toBWPe9vFNYdlb2ODphyD3lLyGcTElBOf/K6UBcv9lDrg0L5g4spOpMJ7PK1uCh5 |
41 |
nonkYAP+Rs4+hyWBlre9jqhH/SZFw7EioBVEXahiUvGExKgZHB33AzS74a+8AUqo |
42 |
knHec0KafArlnE0TS71ZaPhrzWZbMSxiynacZAtT20VrKLsbunRuvTGEmoNZawy4 |
43 |
FMPMLKTKFQkI/Ps2K7Oa |
44 |
=0QTd |
45 |
-----END PGP SIGNATURE----- |