| 1 |
On Tue, 2020-10-06 at 14:06 +0200, Ulrich Mueller wrote: |
| 2 |
> > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: |
| 3 |
> > On Tue, 2020-10-06 at 13:34 +0200, Ulrich Mueller wrote: |
| 4 |
> > > > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: |
| 5 |
> > > > On Tue, 2020-10-06 at 13:18 +0200, Ulrich Mueller wrote: |
| 6 |
> > > > > > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: |
| 7 |
> > > > > > +IUSE="+verify-sig" |
| 8 |
> > > > > |
| 9 |
> > > > > At least don't enable this by default. The feature increases |
| 10 |
> > > > > build time and has little (if any) benefits. |
| 11 |
> > > > Do you have any numbers to back this claim? |
| 12 |
> > > |
| 13 |
> > > That's a strange question. Obviously build time can only increase if |
| 14 |
> > > you install an additional dependency and download an additional |
| 15 |
> > > distfile. |
| 16 |
> > But how significant is the increase? Can you actually measure it |
| 17 |
> > without trying hard to make things slow? |
| 18 |
> |
| 19 |
> IMHO it has no benefit at all for users, because distfile integrity is |
| 20 |
> already guaranteed by digests. So this is a second and redundant method. |
| 21 |
> On the other hand, it causes download of additional distfiles which may |
| 22 |
> not be wanted by most users. |
| 23 |
> |
| 24 |
> > If you are going to claim that it outweighs the 'little' benefit, you |
| 25 |
> > need to try harder than that. |
| 26 |
> |
| 27 |
> No. You are the one who wants to introduce a new feature, so it's up to |
| 28 |
> you to motivate why (and how) adding a redundant method of distfile |
| 29 |
> verification would make things more secure on the users' side. |
| 30 |
> |
| 31 |
|
| 32 |
The eclassdoc answers this question already. Anyway, v2 disables it |
| 33 |
by default, so your concern should be resolved. |
| 34 |
|
| 35 |
-- |
| 36 |
Best regards, |
| 37 |
Michał Górny |
Archives