Hi, Le 2020-10-06 à 13:17, Ulrich Mueller a écrit : >>>>>> On Tue, 06 Oct 2020, Michał Górny wrote: > >> verify-sig eclass provides a streamlined approach to verifying upstream >> signatures on distfiles. Its primary purpose is to permit developers >> to easily verify signatures while bumping packages. The eclass removes >> the risk of developer forgetting to perform the verification, >> or performing it incorrectly, e.g. due to additional keys in the local >> keyring. It also permits users to verify the developer's work. > > We've already discussed it in #-qa, and I still think that this is > over-engineered. Users can validate the distfile by the Manifest and its > signature, so exposing the feature to users is redundant.
IMHO, manifest verification and distfile verification are two separate things. Before you validate and sign the Manifest, you need to fetch (new) source and to verify it. This is not redundant at all. Best, Frédéric Pierret
signature.asc
Description: OpenPGP digital signature
