1 |
On Sun, Nov 07, 2004 at 12:01:35PM -0500 or thereabouts, Chris Frey wrote: |
2 |
> Plus, the glibc ebuild maintainer should be tracking the changes. He knows |
3 |
> what's going on in glibc land, he knows the build process, he should be |
4 |
> in touch with the main developers, and he should be reading the diffs. |
5 |
|
6 |
If you believe this happens for even 20% of the packages in our tree, |
7 |
you're mistaken. Most devs look at changelogs. Few devs look at code |
8 |
diffs. Note I did not say "Gentoo devs". |
9 |
|
10 |
> I would instead recommend that he compare Gentoo to other distros that take |
11 |
> package signing more seriously. It may be that the features and benefits |
12 |
> of a source-based distro like Gentoo outweigh the need for signed ebuilds, |
13 |
> like it does for me on one of my machines. But it also may mean that |
14 |
> some machines require the security and peace of mind of another distro's |
15 |
> signing practices and verification policies. Other machines I admin |
16 |
> fall into this category as well. |
17 |
|
18 |
I would recommend that you, along with the other folks who have |
19 |
misunderstood what this thread is about go back and re-read the original |
20 |
post. This has nothing to do with signed ebuilds in portage. Signed |
21 |
ebuilds in portage is something that is already implemented and supported |
22 |
as an experimental feature as of 2.0.51: |
23 |
|
24 |
http://www.gentoo.org/news/20041021-portage51.xml |
25 |
|
26 |
The original poster was talking about the inability to verify *eclasses*, |
27 |
not ebuilds. eclasses are an important part of portage from a features and |
28 |
functionality perspective, but they make up a small fraction of the overall |
29 |
tree in terms of sheer number of files. My point was and still is that |
30 |
investing the time and effort to also sign these files isn't worth it given |
31 |
the myriad of other larger holes that already exist further upstream. |
32 |
|
33 |
We can argue all day long about whether or not to stick our finger in the |
34 |
dike to plug the leak we see, but if there's a 3x3 hole just around the |
35 |
bend that's gushing water, are we really serving any useful purpose? |
36 |
|
37 |
Or, to leverage one of the primary tenets of FOSS -- if there are folks on |
38 |
the list who truly believe this is a hole that should be fixed, provide |
39 |
patches to portage to add this functionality. It already supports signing |
40 |
to some degree -- one could reasonably assume that adding support for |
41 |
signing of eclasses is relatively easy for a competent python programmer. |
42 |
|
43 |
--kurt |