On Wednesday 07 December 2005 04:04, Marius Mauch wrote: > As stated in the GLEP, gpg is outside the scope of this. As for the > questions, per entry sigs would invert one of the main goals (size > reduction). And so far I haven't seen any sufficient answer to > questions I raised on -core and -portage-dev regarding the > transaction/stacked/fragmented/whatever-you-want-to-call-it Manifest > signing proposed by Robin, so I'm still quite against it.
Per entry sigs make no sense in the current design. All ebuilds can touch all files, and so the complete manifest should be verified. This means that the whole manifest should be signed. Having said that, I would like to argue that this GLEP be implemented only together with gpg signing the manifest. Doing otherwise would require another change in the manifest format in a short time. If the manifest format has optional signing that would also be ok. Just align the requirements and make manifest2 and the gpg signing of it compatible. Paul -- Paul de Vrieze Gentoo Developer Mail: [EMAIL PROTECTED] Homepage: http://www.devrieze.net
pgp0ri8AWuBMk.pgp
Description: PGP signature