-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, 16 Jul 2015 21:13:09 -0400 NP-Hardass <np-hard...@gentoo.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Not sure if this has been covered in some of the rather long chains of > late, but I was thinking about GPG signing, and how the proposed > workflow requires every developer to sign their commits. Currently, > it's advised that every manifest be signed. As far as I know, there > are a number that are not. When a manifest is signed, the author is > saving a state, and providing a means to check it has not changed. > > Additionally, I feel that a signature is a means of acknowledging that > a package has been looked over, and that developer has stated that > they approve of the existing state. I'm not sure if others agree with > that sentiment, but if anyone does, my question is, how does the > conversion process to git handle these packages, where the manifests > are not signed. Is there an intention to blanket cover all packages > when we switch to git? Will these packages be copied over directly > and still maintain their unsigned manifest (I think this is unlikely > as I read that there would be a switch to thin manifests, requiring > regeneration)? If the community doesn't view the signature of the > manifest as I just described, then a blanket signing would be fine. > > Would appreciate your thoughts either way, as I could be overthinking > the issue :P > > - -- > NP-Hardass No, with the git working tree, we will switch to thin manifests and the entire commit will be signed. Not only that, but the push to the main server will also be signed (a push may contain commits signed by a different person that the person pushing). For the regular rsync tree, Full manifests will be regenerated as needed and signed by a common infra supplied gpg key. So for general users, it will be easy to verify without having all gentoo devs gpg keys. That will be different for users of the git tree. - -- Brian Dolbec <dolsen> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1 iQJ8BAEBCgBmBQJVqFmVXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNUQ3Qzc0RTA4MUNDNzBEQjRBNEFBRjVG QkJEMDg3Mjc1ODIwRUQ4AAoJEPu9CHJ1gg7YAbQQAIACEYKfijcCZDaNnTBZTrzx K47Nqx/0MRKKCF2LPTyMeiJ+RMAuGeuFFomNdxGxYAn+XxfP0PUefIXv7AJDwemV NUX60tvYXd2x6xnBoDp0AfPsEBewWW50pVMK5UI1tGHUh0Ba5fGA7fyuoi0SyW4/ lRl4RoejhBZw5JWrecv4aDSBWa18wyJ9hUmoF5/cboHZlOBPtsskb+IQjeq3M3Dw efn+cXJ90eR8QE4IO6y9wIuIZG0Dla4yD13XMzolPyBNfJh7qizWNryw4guVY5mf /2wD/M1Adbgf0CuM8SXL0JeoO063Pqs8WVIEBb5M0yY04eB3b7JpBi5mZvk2RS4y DVSd0MB+vK8WzSo/NrhYqqDJTY5ezYUnu8XW5GiLEk0eHMiP/Hh36cDU+eGfTVX9 vMYaYHS/15cN+8bhfs3SC7kLv7MdhG8Ye7UDyiWUrgbH19yzte8ExjyV3/oEoXOH 6Ng1OxGPozAhkwUB0hGNqWgWJ+n5FNYdTg3wtbPBeZmB/0sn7tkZRDy6aeg60Kfm ytGCJXHGynkKunaLQCzRZVQ3Ywq1sqOHwUnlcbTMpCoZwR7TJ59BCIZs3J8kG14Z B5DopEyfs8NEgNLXUd4thG7Pw7TXWxSXvo/m7+/vLuCmBfSNW8frF/5QADxNfnqR Va2Sp8HY8ZElj+ug3G7W =pfay -----END PGP SIGNATURE-----
