Gentoo Archives: gentoo-dev

From: NP-Hardass <NP-Hardass@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] Git, GPG Signing, and Manifests
Date: Fri, 17 Jul 2015 01:13:31
Message-Id: 55A856A5.1090904@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA256
3
4 Not sure if this has been covered in some of the rather long chains of
5 late, but I was thinking about GPG signing, and how the proposed
6 workflow requires every developer to sign their commits. Currently,
7 it's advised that every manifest be signed. As far as I know, there
8 are a number that are not. When a manifest is signed, the author is
9 saving a state, and providing a means to check it has not changed.
10
11 Additionally, I feel that a signature is a means of acknowledging that
12 a package has been looked over, and that developer has stated that
13 they approve of the existing state. I'm not sure if others agree with
14 that sentiment, but if anyone does, my question is, how does the
15 conversion process to git handle these packages, where the manifests
16 are not signed. Is there an intention to blanket cover all packages
17 when we switch to git? Will these packages be copied over directly
18 and still maintain their unsigned manifest (I think this is unlikely
19 as I read that there would be a switch to thin manifests, requiring
20 regeneration)? If the community doesn't view the signature of the
21 manifest as I just described, then a blanket signing would be fine.
22
23 Would appreciate your thoughts either way, as I could be overthinking
24 the issue :P
25
26 - --
27 NP-Hardass
28 -----BEGIN PGP SIGNATURE-----
29 Version: GnuPG v2
30 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
31
32 iQIcBAEBCAAGBQJVqFalAAoJEBzZQR2yrxj7g3YP/3HkK57mPQp2xzcpwUlPHXkM
33 NAXaxO9UBRp2fNFc78Ja//xa8OUL0IDhsjI69uw2QRFILkgOjLo5n91d+KHuXFBc
34 y8BGJ9lkhYgyCy+uztYsKJwUnfINfURv/hFTKPemgO8FVhBHUqyP7Mbz9cck/92p
35 M+Wh12SrMqbTVRAc9ev5aho5hX2WG9fI0ikmX9WqkXo6UuQbc02VD4FdpkYaDhp4
36 ZzdpwUUGexMgZHgUahLCYTi0WbCCenUFupxGVfYYN7xTz539zbtER2LepfN6vGTw
37 H/mELsg5fU7GbB7LM7XhDyLBgXcwc3zg5L9bRdbWIEVH/YpOaL0ttSX6MLEc3g7/
38 26aotDjVGNJYcCcM+/GLSv761/MV9FdDe/ZfQSsY51rd1Uv9MjKLnfZf4MjqZ5x6
39 Fj2Jj7HvdfLdC+MmVNMzXWpkGpyZHoCcy+aES+dBweX3Qhcow4vtj+IKUKRu7R7l
40 toBWPe9vFNYdlb2ODphyD3lLyGcTElBOf/K6UBcv9lDrg0L5g4spOpMJ7PK1uCh5
41 nonkYAP+Rs4+hyWBlre9jqhH/SZFw7EioBVEXahiUvGExKgZHB33AzS74a+8AUqo
42 knHec0KafArlnE0TS71ZaPhrzWZbMSxiynacZAtT20VrKLsbunRuvTGEmoNZawy4
43 FMPMLKTKFQkI/Ps2K7Oa
44 =0QTd
45 -----END PGP SIGNATURE-----

Replies

Subject Author
Re: [gentoo-dev] Git, GPG Signing, and Manifests Kent Fredric <kentfredric@×××××.com>
Re: [gentoo-dev] Git, GPG Signing, and Manifests Brian Dolbec <dolsen@g.o>
OpenPGP verification (was Re: [gentoo-dev] Git, GPG Signing, and Manifests) Kristian Fiskerstrand <k_f@g.o>