1 |
On Tue, 2020-10-06 at 14:06 +0200, Ulrich Mueller wrote: |
2 |
> > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: |
3 |
> > On Tue, 2020-10-06 at 13:34 +0200, Ulrich Mueller wrote: |
4 |
> > > > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: |
5 |
> > > > On Tue, 2020-10-06 at 13:18 +0200, Ulrich Mueller wrote: |
6 |
> > > > > > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: |
7 |
> > > > > > +IUSE="+verify-sig" |
8 |
> > > > > |
9 |
> > > > > At least don't enable this by default. The feature increases |
10 |
> > > > > build time and has little (if any) benefits. |
11 |
> > > > Do you have any numbers to back this claim? |
12 |
> > > |
13 |
> > > That's a strange question. Obviously build time can only increase if |
14 |
> > > you install an additional dependency and download an additional |
15 |
> > > distfile. |
16 |
> > But how significant is the increase? Can you actually measure it |
17 |
> > without trying hard to make things slow? |
18 |
> |
19 |
> IMHO it has no benefit at all for users, because distfile integrity is |
20 |
> already guaranteed by digests. So this is a second and redundant method. |
21 |
> On the other hand, it causes download of additional distfiles which may |
22 |
> not be wanted by most users. |
23 |
> |
24 |
> > If you are going to claim that it outweighs the 'little' benefit, you |
25 |
> > need to try harder than that. |
26 |
> |
27 |
> No. You are the one who wants to introduce a new feature, so it's up to |
28 |
> you to motivate why (and how) adding a redundant method of distfile |
29 |
> verification would make things more secure on the users' side. |
30 |
> |
31 |
|
32 |
The eclassdoc answers this question already. Anyway, v2 disables it |
33 |
by default, so your concern should be resolved. |
34 |
|
35 |
-- |
36 |
Best regards, |
37 |
Michał Górny |