Torsten Veller dixit (2011-03-25, 08:15): > * Mike Frysinger <vap...@gentoo.org>: > > On Thu, Mar 24, 2011 at 8:09 PM, Antoni Grzymala wrote: > [Manifest signing] > > > Does that get us any closer to GLEPs 57, 58, 59 (or generally > > > approaching the tree-signing/verifying group of problems)? > > > > yes > > I think, it's a "no". > The MetaManifest GLEP relies on a signed top-level "MetaManifest" which > hashes all sub Manifests, whether they are signed or not doesn't matter. > > I don't see a major advantage to signed portage snapshots we already > offer today.
It's just that for everyday use we (perspective of users, possibly only me) would like to have the ability of easy and automated verifying of Manifest GPG signatures whether we (r)sync, webrsync or use a manually downloaded snapshot, with same level of assurance as in other major distros (Debian, RH). Regards, -- [a]
