Re: [gentoo-dev] December 15th Meeting Summary

[solar <solar@gentoo.org>]

On Mon, 2005-12-19 at 18:37 +0100, Marius Mauch wrote:
> On Thu, 15 Dec 2005 22:47:21 -0500
> Mike Frysinger <vapier@gentoo.org> wrote:
> 
> > this months meeting wasnt too eventful, kind of quiet ... on the
> > agenda:
> > 
> > - Marius: decision on multi-hash for Manifest1
> > there was a bit of hearsay about why the council was asked to
> > review/decide on this issue since we werent able to locate any
> > portage devs at the time of the meeting ...
> 
> Well, it would help if the actual meeting date would be announced and
> not pushed back without notice ;)
> 
> > so our decision comes with a slight caveat.  assuming the reasons 
> > our input was asked for was summarized in the e-mail originally
> > sent by Marius [1], then we're for what we dubbed option (2.5.1).
> > that is, the portage team should go ahead with portage 2.0.54 and
> > include support for SHA256/RMD160 hashes on top of MD5 hashes.  SHA1
> > should not be included as having both SHA256/SHA1 is pointless.
> 
> Ok, not a problem.
> 
> > it was also noted that we should probably omit ChangeLog and 
> > metadata.xml files from the current Manifest schema as digesting 
> > them serves no real purpose.
> 
> You're all aware that this would break <portage-2.0.51.20 (so any
> portage version older than 6 months)? Also while they don't affect the
> build process they contain important information and are/will be parsed
> by portage, so I'm not that comfortable with dropping also the option
> of verifying them permanently.
> 
> One thing solar has pointed out is that in countries with stupid laws
> pycrypto violates some patents so currently we cannot ship it in stages
> or binary packages (so I'm told, I'm neither a lawyer nor someone who
> is affected by such laws). This is probably something releng and the
> python herd have to deal with.

It's easy enough to patch the two ciphers out when USE=bindist would be
set. 

> So right now I'll go ahead and add the pycrypto code to portage, but
> will not yet add the dep to any ebuild or change anything metadata.xml
> or ChangeLog related (according to Jason 2.0.54 is still away one or
> two weeks anyway).

If you do that please set it as a blocker for the .54 release. 
Reintroducing ChangeLog/metadata.xml to Manifests would be a undesired
regression. Nothing in the portage as of <=.53 make direct use of those
two files and there is no security value in bloating the digest format
with them. Thats why they were removed 2.0.51.21

Making the argument for maybe portage in the future will use them is 
not valid as they are currently omited and we/I have been told before
by the portage team (ferringb & jstubbs iirc??) that portage itself
wont be doing any .xml parsing in it's core. IE So that means not today
nor tomorrow will anything need to depend on those files in order to
build.

-- 
solar <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-dev@gentoo.org mailing list