>>>>> On Tue, 06 Oct 2020, Michał Górny wrote: > verify-sig eclass provides a streamlined approach to verifying upstream > signatures on distfiles. Its primary purpose is to permit developers > to easily verify signatures while bumping packages. The eclass removes > the risk of developer forgetting to perform the verification, > or performing it incorrectly, e.g. due to additional keys in the local > keyring. It also permits users to verify the developer's work.
We've already discussed it in #-qa, and I still think that this is over-engineered. Users can validate the distfile by the Manifest and its signature, so exposing the feature to users is redundant. Ulrich
signature.asc
Description: PGP signature
