From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev-return-6491-arch-gentoo-dev=gentoo.org@gentoo.org>
Received: (qmail 10831 invoked by uid 1002); 7 Sep 2003 23:44:58 -0000
Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Help: <mailto:gentoo-dev-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Received: (qmail 27607 invoked from network); 7 Sep 2003 23:44:57 -0000
From: Jan Krueger <jk@microgalaxy.net>
Organization: microgalaxy.net
To: Chris Bainbridge <C.J.Bainbridge@ed.ac.uk>,
 Gentoo-Dev <gentoo-dev@gentoo.org>
Date: Mon, 8 Sep 2003 01:50:28 +0000
User-Agent: KMail/1.5.2
References: <pan.2003.09.06.18.05.15.543497@nonconformity.net> <200309072143.47126.jk@microgalaxy.net> <200309072341.28933.C.J.Bainbridge@ed.ac.uk>
In-Reply-To: <200309072341.28933.C.J.Bainbridge@ed.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200309080150.28114.jk@microgalaxy.net>
Subject: Re: [gentoo-dev] suggestion portage ebuild system file modification rights and protection
X-Archives-Salt: 90104b2b-359f-4afe-b57a-bd65aeb8eef0
X-Archives-Hash: 05c5e0f205d03db81d3a8d879e281621

On Sunday 07 September 2003 23:41, Chris Bainbridge wrote:
> This has been discussed before (
> http://bugs.gentoo.org/show_bug.cgi?id=5902 ). I think the gpg signatures
> development got put on hold because there was talk of making individuals
> responsible for packages (like Debian), rather than the system at the
> moment where a small core does all of the work.
Thank you for this information. Sounds good :)
unfortunatly i read it after i answered the mail of Jon Portnoy.

> My proposal was to use signatures along with the concept of requiring a
> certain number of developers to "sign off" an ebuild. Its important that
> the compromise of a single developer with cvs access shouldn't impact
> thousands of users. Therefore, most packages should require two or more
> developer signatures before they will be installed.
Sounds good too :)

> Using a secure distribution infrastructure (eg. rsync over ssl) is not an
> option if gentoo is going to be distributed over untrusted p2p networks
> (which I think it will in the future).
Ok, forget about ssl/ssh for now.

Jan


--
gentoo-dev@gentoo.org mailing list