On 07/17/2015 10:18 AM, Kristian Fiskerstrand wrote: > On 07/17/2015 03:13 AM, NP-Hardass wrote: > >> Additionally, I feel that a signature is a means of acknowledging >> that a package has been looked over, and that developer has stated >> that they approve of the existing state. I'm not sure if others >> agree with that sentiment, > > I appreciate that you bring up this point. I would expect that part of > that state is for the developer to verify the source distfile from > upstream using OpenPGP / GnuPG as well, i.e not just rely on TOFU > (trust on first use). This also means keeping a (locally) certified > copy of the upstream distribution key that is reasonably verified by > the developer. >
This really depends. In general, a signed commit can and should only say that the _patch_ comes from or was approved by a particular person. If it's a version bump on a single package, you can probably assume that he had a rough lookover. But you can't expect the same when e.g. the python herd has to do mass commits because of USE flag changes. That "approve of existing state" thing is rather implicit in a review workflow, where the package maintainer does the merge. We currently don't have any plans to enforce this globally, so signatures just say "this patch comes from...".
