1 |
On Mon, 2005-12-19 at 18:37 +0100, Marius Mauch wrote: |
2 |
> On Thu, 15 Dec 2005 22:47:21 -0500 |
3 |
> Mike Frysinger <vapier@g.o> wrote: |
4 |
> |
5 |
> > this months meeting wasnt too eventful, kind of quiet ... on the |
6 |
> > agenda: |
7 |
> > |
8 |
> > - Marius: decision on multi-hash for Manifest1 |
9 |
> > there was a bit of hearsay about why the council was asked to |
10 |
> > review/decide on this issue since we werent able to locate any |
11 |
> > portage devs at the time of the meeting ... |
12 |
> |
13 |
> Well, it would help if the actual meeting date would be announced and |
14 |
> not pushed back without notice ;) |
15 |
> |
16 |
> > so our decision comes with a slight caveat. assuming the reasons |
17 |
> > our input was asked for was summarized in the e-mail originally |
18 |
> > sent by Marius [1], then we're for what we dubbed option (2.5.1). |
19 |
> > that is, the portage team should go ahead with portage 2.0.54 and |
20 |
> > include support for SHA256/RMD160 hashes on top of MD5 hashes. SHA1 |
21 |
> > should not be included as having both SHA256/SHA1 is pointless. |
22 |
> |
23 |
> Ok, not a problem. |
24 |
> |
25 |
> > it was also noted that we should probably omit ChangeLog and |
26 |
> > metadata.xml files from the current Manifest schema as digesting |
27 |
> > them serves no real purpose. |
28 |
> |
29 |
> You're all aware that this would break <portage-2.0.51.20 (so any |
30 |
> portage version older than 6 months)? Also while they don't affect the |
31 |
> build process they contain important information and are/will be parsed |
32 |
> by portage, so I'm not that comfortable with dropping also the option |
33 |
> of verifying them permanently. |
34 |
> |
35 |
> One thing solar has pointed out is that in countries with stupid laws |
36 |
> pycrypto violates some patents so currently we cannot ship it in stages |
37 |
> or binary packages (so I'm told, I'm neither a lawyer nor someone who |
38 |
> is affected by such laws). This is probably something releng and the |
39 |
> python herd have to deal with. |
40 |
|
41 |
It's easy enough to patch the two ciphers out when USE=bindist would be |
42 |
set. |
43 |
|
44 |
> So right now I'll go ahead and add the pycrypto code to portage, but |
45 |
> will not yet add the dep to any ebuild or change anything metadata.xml |
46 |
> or ChangeLog related (according to Jason 2.0.54 is still away one or |
47 |
> two weeks anyway). |
48 |
|
49 |
If you do that please set it as a blocker for the .54 release. |
50 |
Reintroducing ChangeLog/metadata.xml to Manifests would be a undesired |
51 |
regression. Nothing in the portage as of <=.53 make direct use of those |
52 |
two files and there is no security value in bloating the digest format |
53 |
with them. Thats why they were removed 2.0.51.21 |
54 |
|
55 |
Making the argument for maybe portage in the future will use them is |
56 |
not valid as they are currently omited and we/I have been told before |
57 |
by the portage team (ferringb & jstubbs iirc??) that portage itself |
58 |
wont be doing any .xml parsing in it's core. IE So that means not today |
59 |
nor tomorrow will anything need to depend on those files in order to |
60 |
build. |
61 |
|
62 |
-- |
63 |
solar <solar@g.o> |
64 |
Gentoo Linux |
65 |
|
66 |
-- |
67 |
gentoo-dev@g.o mailing list |