On 3/24/11 10:59 PM, Mike Frysinger wrote: > is there any reason we should allow people to commit unsigned > Manifest's anymore ? generating/posting/enabling a gpg key is > ridiculously easy and there's really no excuse for a dev to not have > done this already.
Firstly, I'm excited we're moving towards a signed portage tree.
We can start with a repoman warning (yellow) and a transition period.
> when i look at the tree, the signed stats are stupid low:
> $ find *-* -maxdepth 2 -name Manifest | wc -l
> 14438
> $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP
> SIGNATURE' {} + | wc -l
> 6032
If I'm interpreting the data correctly, about 43% of Manifest files are
signed. That's not too bad, I was expecting something more like 5%.
By the way, is it acceptable to use the same GPG key for e-mail and
signing packages?
Paweł Hajdan, Jr.
signature.asc
Description: OpenPGP digital signature
