| 1 |
On Sun, Nov 07, 2004 at 12:01:35PM -0500 or thereabouts, Chris Frey wrote: |
| 2 |
> Plus, the glibc ebuild maintainer should be tracking the changes. He knows |
| 3 |
> what's going on in glibc land, he knows the build process, he should be |
| 4 |
> in touch with the main developers, and he should be reading the diffs. |
| 5 |
|
| 6 |
If you believe this happens for even 20% of the packages in our tree, |
| 7 |
you're mistaken. Most devs look at changelogs. Few devs look at code |
| 8 |
diffs. Note I did not say "Gentoo devs". |
| 9 |
|
| 10 |
> I would instead recommend that he compare Gentoo to other distros that take |
| 11 |
> package signing more seriously. It may be that the features and benefits |
| 12 |
> of a source-based distro like Gentoo outweigh the need for signed ebuilds, |
| 13 |
> like it does for me on one of my machines. But it also may mean that |
| 14 |
> some machines require the security and peace of mind of another distro's |
| 15 |
> signing practices and verification policies. Other machines I admin |
| 16 |
> fall into this category as well. |
| 17 |
|
| 18 |
I would recommend that you, along with the other folks who have |
| 19 |
misunderstood what this thread is about go back and re-read the original |
| 20 |
post. This has nothing to do with signed ebuilds in portage. Signed |
| 21 |
ebuilds in portage is something that is already implemented and supported |
| 22 |
as an experimental feature as of 2.0.51: |
| 23 |
|
| 24 |
http://www.gentoo.org/news/20041021-portage51.xml |
| 25 |
|
| 26 |
The original poster was talking about the inability to verify *eclasses*, |
| 27 |
not ebuilds. eclasses are an important part of portage from a features and |
| 28 |
functionality perspective, but they make up a small fraction of the overall |
| 29 |
tree in terms of sheer number of files. My point was and still is that |
| 30 |
investing the time and effort to also sign these files isn't worth it given |
| 31 |
the myriad of other larger holes that already exist further upstream. |
| 32 |
|
| 33 |
We can argue all day long about whether or not to stick our finger in the |
| 34 |
dike to plug the leak we see, but if there's a 3x3 hole just around the |
| 35 |
bend that's gushing water, are we really serving any useful purpose? |
| 36 |
|
| 37 |
Or, to leverage one of the primary tenets of FOSS -- if there are folks on |
| 38 |
the list who truly believe this is a hole that should be fixed, provide |
| 39 |
patches to portage to add this functionality. It already supports signing |
| 40 |
to some degree -- one could reasonably assume that adding support for |
| 41 |
signing of eclasses is relatively easy for a competent python programmer. |
| 42 |
|
| 43 |
--kurt |
Archives