From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EYUi5-0007Gt-H5 for garchives@archives.gentoo.org; Sat, 05 Nov 2005 20:32:21 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jA5KVcgJ032341; Sat, 5 Nov 2005 20:31:38 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jA5KTng8019109 for ; Sat, 5 Nov 2005 20:29:49 GMT Received: from cpe-65-26-255-237.wi.res.rr.com ([65.26.255.237] helo=nightcrawler) by smtp.gentoo.org with esmtpa (Exim 4.43) id 1EYUfd-0004n0-B5 for gentoo-dev@lists.gentoo.org; Sat, 05 Nov 2005 20:29:49 +0000 Date: Sat, 5 Nov 2005 14:29:31 -0600 From: Brian Harring To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] GLEP 42 "Critical News Reporting" Round Two Message-ID: <20051105202931.GD25194@nightcrawler> References: <20051105005814.0de0d8ff@snowdrop.home> <20051105112451.GA24767@nightcrawler> <20051105174535.52f6187d@snowdrop.home> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0/kgSOzhNoDC5T3a" Content-Disposition: inline In-Reply-To: <20051105174535.52f6187d@snowdrop.home> User-Agent: Mutt/1.5.8i X-Archives-Salt: 13f42ca9-f281-4571-bc37-7669819fa208 X-Archives-Hash: 906714dbc8c152092293a015e66dc0cb --0/kgSOzhNoDC5T3a Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 05, 2005 at 05:45:35PM +0000, Ciaran McCreesh wrote: > | > News items may be signed using GPG. If this is done, a detached > | > signature should be used. > |=20 > | I'd argue for must be, personally. A bogus news item claiming to be=20 > | from portage devs, telling users to change their SYNC setting could=20 > | cause massive mayhem. >=20 > Signing elsewhere isn't mandatory yet. Deal with it ;) New additions to the tree that don't require signing=20 just shove more load onto anyone who is trying to make the entire tree=20 signed- you're already placing it in the tree so it doesn't make screw=20 with future portage plans (news directory), this isn't much different. Note also I'm not stating your example clients must handly signing-=20 it'll ugly up the trivial exmples a bit, but the messages delivered=20 *must* be signed from where I'm sitting. It's easy to state that "well others don't have to sign"; the problem=20 here is that you must start somewhere. If the whole effort of signing=20 is abandoned, the restriction that all news items be signed is easily=20 dropped- going in reverse (retroactively getting authors to sign their=20 old news) is a bit of work that could be avoided. > | Still haven't address my point about > | A) package moves combined with news entries >=20 > Gotta handle those manually / with epkgmove. Someone could write a > server-side handler for automatic updates if they want, but given that > package moves are already a case of "do all the things on a big list", > it's not much added complexity... Note it please; it's a concern. > | No go on -core imo; it's a community/dev issue, should be visible to=20 > | the general public rather then hidden away in the ml we do our > | flaming in. >=20 > There *might* be legit security reasons for using -core, for example > for nasty "upgrade required" security bugs that we can't disclose > before a given date. Hopefully this will never happen. Valid point, which will hopefully be noted in v3 of the glep? :) > | Already pointed out that this won't fly looking forward, it > | implicitly assumes a single repository. >=20 > Again, we can deal with that if Portage ever gets multiple repo > support. Until it does, I'm not trying to guess how it's going to end > up being implemented. *cough* PORTDIR_OVERLAY *cough* Already have multiple repo support. Assumed you meant standalone, in=20 which case I still think you're dodging support that must be there. Changing it after the fact because it wasn't design with an extra bit=20 of forward thinking isn't something I'm incredibly game for. Yes it's=20 extra work for you, but you're proposing the change ;) You're going for forward compatibility... this is just that. > | Nuke flashy (any phrasing that allows for blinking crap sliding into > | portage I instinctively dislike). >=20 > Is there a technical name for the big red !!!!! messages? Freaking annoying, is the technical term I use. ~harring --0/kgSOzhNoDC5T3a Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDbRYrvdBxRoA3VU0RAqCmAKDUlPWVNHUaeuXh4N9VOhOmyfAlaQCfX6Qn 0/7ZXuXuulp1a16jx31JQ8s= =iUiB -----END PGP SIGNATURE----- --0/kgSOzhNoDC5T3a-- -- gentoo-dev@gentoo.org mailing list