1 |
On 19-02-19 23:04:26, Michael Orlitzky wrote: |
2 |
> On 2/19/19 10:23 PM, Matthew Thode wrote: |
3 |
> > As the title says, I think this should be done. |
4 |
> > |
5 |
> > First sync is impossible to verify without keys (webrsync) |
6 |
> > app-crypt/gentoo-keys has no dependencies, which help avoid some bloat |
7 |
> > in the base install. |
8 |
> > |
9 |
> > Let the bikeshedding begin. |
10 |
> > |
11 |
> |
12 |
> I don't have app-crypt/gentoo-keys installed. I seem to be doing okay |
13 |
> without it. |
14 |
> |
15 |
> In any case, on principle, we shouldn't add anything else to @system. No |
16 |
> one agrees on how we should treat @system packages as far as |
17 |
> dependencies go, and the whole idea is a stinky pile of dirty laundry |
18 |
> that we should work to make explicit instead. |
19 |
> |
20 |
> What problem would this solve? (Is adding gentoo-keys to @system the |
21 |
> least bad way to solve it?) |
22 |
> |
23 |
|
24 |
It'd allow the stage tarballs (3,4) to use webrsync-gpg to verify |
25 |
portage tarballs. This is useful for the initial sync (as called out in |
26 |
our manual). Otherwise using emerge-webrsync could be mitm'd or |
27 |
otherwise messed with. |
28 |
|
29 |
As far how we treat deps of @system packages, since this does not have |
30 |
any deps that should help check that box for anyone worried. |
31 |
|
32 |
-- |
33 |
Matthew Thode (prometheanfire) |