> They will be OpenPGP signed by a releng key during thickening and > portage will auto-verify it using gkeys once things are in place. As > such checksum for ebuilds and other files certainly needs to be part > of the manifest, otherwise it can open up for malicious alterations of > these files.
And we switch portage in the near future to enforce signature checking on rsync'ed repositories? (e.g. controlled via repos.d/*) :-)
signature.asc
Description: PGP signature
