| 1 |
On 19-02-19 23:04:26, Michael Orlitzky wrote: |
| 2 |
> On 2/19/19 10:23 PM, Matthew Thode wrote: |
| 3 |
> > As the title says, I think this should be done. |
| 4 |
> > |
| 5 |
> > First sync is impossible to verify without keys (webrsync) |
| 6 |
> > app-crypt/gentoo-keys has no dependencies, which help avoid some bloat |
| 7 |
> > in the base install. |
| 8 |
> > |
| 9 |
> > Let the bikeshedding begin. |
| 10 |
> > |
| 11 |
> |
| 12 |
> I don't have app-crypt/gentoo-keys installed. I seem to be doing okay |
| 13 |
> without it. |
| 14 |
> |
| 15 |
> In any case, on principle, we shouldn't add anything else to @system. No |
| 16 |
> one agrees on how we should treat @system packages as far as |
| 17 |
> dependencies go, and the whole idea is a stinky pile of dirty laundry |
| 18 |
> that we should work to make explicit instead. |
| 19 |
> |
| 20 |
> What problem would this solve? (Is adding gentoo-keys to @system the |
| 21 |
> least bad way to solve it?) |
| 22 |
> |
| 23 |
|
| 24 |
It'd allow the stage tarballs (3,4) to use webrsync-gpg to verify |
| 25 |
portage tarballs. This is useful for the initial sync (as called out in |
| 26 |
our manual). Otherwise using emerge-webrsync could be mitm'd or |
| 27 |
otherwise messed with. |
| 28 |
|
| 29 |
As far how we treat deps of @system packages, since this does not have |
| 30 |
any deps that should help check that box for anyone worried. |
| 31 |
|
| 32 |
-- |
| 33 |
Matthew Thode (prometheanfire) |
Archives