-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Not sure if this has been covered in some of the rather long chains of late, but I was thinking about GPG signing, and how the proposed workflow requires every developer to sign their commits. Currently, it's advised that every manifest be signed. As far as I know, there are a number that are not. When a manifest is signed, the author is saving a state, and providing a means to check it has not changed.
Additionally, I feel that a signature is a means of acknowledging that a package has been looked over, and that developer has stated that they approve of the existing state. I'm not sure if others agree with that sentiment, but if anyone does, my question is, how does the conversion process to git handle these packages, where the manifests are not signed. Is there an intention to blanket cover all packages when we switch to git? Will these packages be copied over directly and still maintain their unsigned manifest (I think this is unlikely as I read that there would be a switch to thin manifests, requiring regeneration)? If the community doesn't view the signature of the manifest as I just described, then a blanket signing would be fine. Would appreciate your thoughts either way, as I could be overthinking the issue :P - -- NP-Hardass -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJVqFalAAoJEBzZQR2yrxj7g3YP/3HkK57mPQp2xzcpwUlPHXkM NAXaxO9UBRp2fNFc78Ja//xa8OUL0IDhsjI69uw2QRFILkgOjLo5n91d+KHuXFBc y8BGJ9lkhYgyCy+uztYsKJwUnfINfURv/hFTKPemgO8FVhBHUqyP7Mbz9cck/92p M+Wh12SrMqbTVRAc9ev5aho5hX2WG9fI0ikmX9WqkXo6UuQbc02VD4FdpkYaDhp4 ZzdpwUUGexMgZHgUahLCYTi0WbCCenUFupxGVfYYN7xTz539zbtER2LepfN6vGTw H/mELsg5fU7GbB7LM7XhDyLBgXcwc3zg5L9bRdbWIEVH/YpOaL0ttSX6MLEc3g7/ 26aotDjVGNJYcCcM+/GLSv761/MV9FdDe/ZfQSsY51rd1Uv9MjKLnfZf4MjqZ5x6 Fj2Jj7HvdfLdC+MmVNMzXWpkGpyZHoCcy+aES+dBweX3Qhcow4vtj+IKUKRu7R7l toBWPe9vFNYdlb2ODphyD3lLyGcTElBOf/K6UBcv9lDrg0L5g4spOpMJ7PK1uCh5 nonkYAP+Rs4+hyWBlre9jqhH/SZFw7EioBVEXahiUvGExKgZHB33AzS74a+8AUqo knHec0KafArlnE0TS71ZaPhrzWZbMSxiynacZAtT20VrKLsbunRuvTGEmoNZawy4 FMPMLKTKFQkI/Ps2K7Oa =0QTd -----END PGP SIGNATURE-----
