| 1 |
On Mon, 2005-12-19 at 18:37 +0100, Marius Mauch wrote: |
| 2 |
> On Thu, 15 Dec 2005 22:47:21 -0500 |
| 3 |
> Mike Frysinger <vapier@g.o> wrote: |
| 4 |
> |
| 5 |
> > this months meeting wasnt too eventful, kind of quiet ... on the |
| 6 |
> > agenda: |
| 7 |
> > |
| 8 |
> > - Marius: decision on multi-hash for Manifest1 |
| 9 |
> > there was a bit of hearsay about why the council was asked to |
| 10 |
> > review/decide on this issue since we werent able to locate any |
| 11 |
> > portage devs at the time of the meeting ... |
| 12 |
> |
| 13 |
> Well, it would help if the actual meeting date would be announced and |
| 14 |
> not pushed back without notice ;) |
| 15 |
> |
| 16 |
> > so our decision comes with a slight caveat. assuming the reasons |
| 17 |
> > our input was asked for was summarized in the e-mail originally |
| 18 |
> > sent by Marius [1], then we're for what we dubbed option (2.5.1). |
| 19 |
> > that is, the portage team should go ahead with portage 2.0.54 and |
| 20 |
> > include support for SHA256/RMD160 hashes on top of MD5 hashes. SHA1 |
| 21 |
> > should not be included as having both SHA256/SHA1 is pointless. |
| 22 |
> |
| 23 |
> Ok, not a problem. |
| 24 |
> |
| 25 |
> > it was also noted that we should probably omit ChangeLog and |
| 26 |
> > metadata.xml files from the current Manifest schema as digesting |
| 27 |
> > them serves no real purpose. |
| 28 |
> |
| 29 |
> You're all aware that this would break <portage-2.0.51.20 (so any |
| 30 |
> portage version older than 6 months)? Also while they don't affect the |
| 31 |
> build process they contain important information and are/will be parsed |
| 32 |
> by portage, so I'm not that comfortable with dropping also the option |
| 33 |
> of verifying them permanently. |
| 34 |
> |
| 35 |
> One thing solar has pointed out is that in countries with stupid laws |
| 36 |
> pycrypto violates some patents so currently we cannot ship it in stages |
| 37 |
> or binary packages (so I'm told, I'm neither a lawyer nor someone who |
| 38 |
> is affected by such laws). This is probably something releng and the |
| 39 |
> python herd have to deal with. |
| 40 |
|
| 41 |
It's easy enough to patch the two ciphers out when USE=bindist would be |
| 42 |
set. |
| 43 |
|
| 44 |
> So right now I'll go ahead and add the pycrypto code to portage, but |
| 45 |
> will not yet add the dep to any ebuild or change anything metadata.xml |
| 46 |
> or ChangeLog related (according to Jason 2.0.54 is still away one or |
| 47 |
> two weeks anyway). |
| 48 |
|
| 49 |
If you do that please set it as a blocker for the .54 release. |
| 50 |
Reintroducing ChangeLog/metadata.xml to Manifests would be a undesired |
| 51 |
regression. Nothing in the portage as of <=.53 make direct use of those |
| 52 |
two files and there is no security value in bloating the digest format |
| 53 |
with them. Thats why they were removed 2.0.51.21 |
| 54 |
|
| 55 |
Making the argument for maybe portage in the future will use them is |
| 56 |
not valid as they are currently omited and we/I have been told before |
| 57 |
by the portage team (ferringb & jstubbs iirc??) that portage itself |
| 58 |
wont be doing any .xml parsing in it's core. IE So that means not today |
| 59 |
nor tomorrow will anything need to depend on those files in order to |
| 60 |
build. |
| 61 |
|
| 62 |
-- |
| 63 |
solar <solar@g.o> |
| 64 |
Gentoo Linux |
| 65 |
|
| 66 |
-- |
| 67 |
gentoo-dev@g.o mailing list |
Archives