From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1EoQ5M-0006zQ-VD for garchives@archives.gentoo.org; Mon, 19 Dec 2005 18:50:13 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jBJImlD1025383; Mon, 19 Dec 2005 18:48:47 GMT Received: from mail01.emarketsouth.com (mail01.emarketsouth.com [208.247.233.6]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jBJIjCo2009429 for ; Mon, 19 Dec 2005 18:45:12 GMT Received: (qmail 15397 invoked by uid 399); 19 Dec 2005 18:44:58 -0000 Received: from unknown (HELO onyx) (64.192.54.4) by mail01.emarketsouth.com with SMTP; 19 Dec 2005 18:44:58 -0000 Subject: Re: [gentoo-dev] December 15th Meeting Summary From: solar To: gentoo-dev@lists.gentoo.org Cc: releng@gentoo.org, python@gentoo.org In-Reply-To: <20051219183716.13f195c4@sven.genone.homeip.net> References: <200512152247.21770.vapier@gentoo.org> <20051219183716.13f195c4@sven.genone.homeip.net> Content-Type: text/plain Organization: Gentoo Linux Date: Mon, 19 Dec 2005 13:45:04 -0500 Message-Id: <1135017904.11584.70.camel@onyx> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 Content-Transfer-Encoding: 7bit X-Archives-Salt: bdf6e07f-75a0-405d-9940-01642330d81e X-Archives-Hash: a664cf74eb953c456f7a6f153e5ab9de On Mon, 2005-12-19 at 18:37 +0100, Marius Mauch wrote: > On Thu, 15 Dec 2005 22:47:21 -0500 > Mike Frysinger wrote: > > > this months meeting wasnt too eventful, kind of quiet ... on the > > agenda: > > > > - Marius: decision on multi-hash for Manifest1 > > there was a bit of hearsay about why the council was asked to > > review/decide on this issue since we werent able to locate any > > portage devs at the time of the meeting ... > > Well, it would help if the actual meeting date would be announced and > not pushed back without notice ;) > > > so our decision comes with a slight caveat. assuming the reasons > > our input was asked for was summarized in the e-mail originally > > sent by Marius [1], then we're for what we dubbed option (2.5.1). > > that is, the portage team should go ahead with portage 2.0.54 and > > include support for SHA256/RMD160 hashes on top of MD5 hashes. SHA1 > > should not be included as having both SHA256/SHA1 is pointless. > > Ok, not a problem. > > > it was also noted that we should probably omit ChangeLog and > > metadata.xml files from the current Manifest schema as digesting > > them serves no real purpose. > > You're all aware that this would break portage version older than 6 months)? Also while they don't affect the > build process they contain important information and are/will be parsed > by portage, so I'm not that comfortable with dropping also the option > of verifying them permanently. > > One thing solar has pointed out is that in countries with stupid laws > pycrypto violates some patents so currently we cannot ship it in stages > or binary packages (so I'm told, I'm neither a lawyer nor someone who > is affected by such laws). This is probably something releng and the > python herd have to deal with. It's easy enough to patch the two ciphers out when USE=bindist would be set. > So right now I'll go ahead and add the pycrypto code to portage, but > will not yet add the dep to any ebuild or change anything metadata.xml > or ChangeLog related (according to Jason 2.0.54 is still away one or > two weeks anyway). If you do that please set it as a blocker for the .54 release. Reintroducing ChangeLog/metadata.xml to Manifests would be a undesired regression. Nothing in the portage as of <=.53 make direct use of those two files and there is no security value in bloating the digest format with them. Thats why they were removed 2.0.51.21 Making the argument for maybe portage in the future will use them is not valid as they are currently omited and we/I have been told before by the portage team (ferringb & jstubbs iirc??) that portage itself wont be doing any .xml parsing in it's core. IE So that means not today nor tomorrow will anything need to depend on those files in order to build. -- solar Gentoo Linux -- gentoo-dev@gentoo.org mailing list