1 |
On Thu, 11 Nov 2004 13:31:14 -0700 |
2 |
"Glen Combe" <gcombe@×××××××××××.us> wrote: |
3 |
|
4 |
> Kurt. |
5 |
> |
6 |
> Detail of time and implemention is what I have in mind. I sense you |
7 |
> might have a good feel for that? Weeks? Months? |
8 |
|
9 |
Well, first lets see what we're still missing implementation-wise: |
10 |
1) checksums/signatures for eclasses, profiles, the "scripts" dir and |
11 |
maybe a few others |
12 |
2) enforcement for devs to sign their packages |
13 |
3) some kind of PKI for portage signing keys |
14 |
4) better verification support, the current implementation has a few |
15 |
problems (performance sucks and key management is almost completely |
16 |
manual) |
17 |
5) stuff I forgot to mention here |
18 |
|
19 |
So now what needs to be done to fix these points: |
20 |
1) a) decide how these files are to be signed/verified (one Manifest for |
21 |
all eclasses, individual signatures, ...) |
22 |
b) modify repoman to work in those dirs (currently it's only for |
23 |
package dirs) |
24 |
2) a) ensure that *ALL* devs use repoman |
25 |
b) change repoman so only signed packages/eclasses/... are committed |
26 |
3) not sure |
27 |
4) a) find a way to improve gpg performance |
28 |
b) add support for 3) |
29 |
5) no clue ;) |
30 |
|
31 |
>From this list, 1a), 2a) and 3) are outside the scope of dev-portage |
32 |
(well, we could make an arbitrary decision for 1a), so I can't give any |
33 |
estimates for them. I also can't give any estimate for 4a) as I don't |
34 |
know if that's possible or 4b) as it depends on 3). So the only points I |
35 |
can give any information on are 1b) and 2b): |
36 |
1b) shouldn't be too difficult although repoman is tricky piece of |
37 |
software, I'd guess it would take a week or so for an initial |
38 |
implementation (depends on 1a of course) |
39 |
2b) Tricky to do this in a proper way. Pretty much needs real |
40 |
transaction support in repoman. A 80% solution is pretty simple though |
41 |
(less than a week). I'd need to go into implementation details of |
42 |
repoman to completely explain this. |
43 |
|
44 |
Marius |
45 |
|
46 |
-- |
47 |
Public Key at http://www.genone.de/info/gpg-key.pub |
48 |
|
49 |
In the beginning, there was nothing. And God said, 'Let there be |
50 |
Light.' And there was still nothing, but you could see a bit better. |