public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] December 15th Meeting Summary
@ 2005-12-16  3:47 Mike Frysinger
  2005-12-19 17:37 ` Marius Mauch
  0 siblings, 1 reply; 8+ messages in thread
From: Mike Frysinger @ 2005-12-16  3:47 UTC (permalink / raw
  To: gentoo-dev

this months meeting wasnt too eventful, kind of quiet ... on the agenda:

- Marius: decision on multi-hash for Manifest1
there was a bit of hearsay about why the council was asked to review/decide on 
this issue since we werent able to locate any portage devs at the time of the 
meeting ... so our decision comes with a slight caveat.  assuming the reasons 
our input was asked for was summarized in the e-mail originally sent by 
Marius [1], then we're for what we dubbed option (2.5.1).  that is, the 
portage team should go ahead with portage 2.0.54 and include support for 
SHA256/RMD160 hashes on top of MD5 hashes.  SHA1 should not be included as 
having both SHA256/SHA1 is pointless.  further more, we hope this is just a 
hold over until Manifest2 is ironed out/approved/implemented/deployed.  it 
was also noted that we should probably omit ChangeLog and metadata.xml files 
from the current Manifest schema as digesting them serves no real purpose.
[1] http://article.gmane.org/gmane.linux.gentoo.devel/33434

- Council: portage signing
shortly after our November meeting, a nice summary was posted by Robin Johnson 
that covered signing issues from top to bottom.  as such, it was felt that 
trying to throw together a GLEP would not be beneficial.  instead we will be 
adding a constant agenda item to future council meetings as to the status of 
portage signing issues to keep the project from slipping into obscurity 
again.

full meeting log:
http://www.gentoo.org/proj/en/council/meeting-logs/20051215.txt
-mike
-- 
gentoo-dev@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] December 15th Meeting Summary
  2005-12-16  3:47 [gentoo-dev] December 15th Meeting Summary Mike Frysinger
@ 2005-12-19 17:37 ` Marius Mauch
  2005-12-19 18:07   ` Alec Joseph Warner
                     ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Marius Mauch @ 2005-12-19 17:37 UTC (permalink / raw
  To: gentoo-dev, python, releng

[-- Attachment #1: Type: text/plain, Size: 2184 bytes --]

On Thu, 15 Dec 2005 22:47:21 -0500
Mike Frysinger <vapier@gentoo.org> wrote:

> this months meeting wasnt too eventful, kind of quiet ... on the
> agenda:
> 
> - Marius: decision on multi-hash for Manifest1
> there was a bit of hearsay about why the council was asked to
> review/decide on this issue since we werent able to locate any
> portage devs at the time of the meeting ...

Well, it would help if the actual meeting date would be announced and
not pushed back without notice ;)

> so our decision comes with a slight caveat.  assuming the reasons 
> our input was asked for was summarized in the e-mail originally
> sent by Marius [1], then we're for what we dubbed option (2.5.1).
> that is, the portage team should go ahead with portage 2.0.54 and
> include support for SHA256/RMD160 hashes on top of MD5 hashes.  SHA1
> should not be included as having both SHA256/SHA1 is pointless.

Ok, not a problem.

> it was also noted that we should probably omit ChangeLog and 
> metadata.xml files from the current Manifest schema as digesting 
> them serves no real purpose.

You're all aware that this would break <portage-2.0.51.20 (so any
portage version older than 6 months)? Also while they don't affect the
build process they contain important information and are/will be parsed
by portage, so I'm not that comfortable with dropping also the option
of verifying them permanently.

One thing solar has pointed out is that in countries with stupid laws
pycrypto violates some patents so currently we cannot ship it in stages
or binary packages (so I'm told, I'm neither a lawyer nor someone who
is affected by such laws). This is probably something releng and the
python herd have to deal with.

So right now I'll go ahead and add the pycrypto code to portage, but
will not yet add the dep to any ebuild or change anything metadata.xml
or ChangeLog related (according to Jason 2.0.54 is still away one or
two weeks anyway).

Marius

-- 
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] December 15th Meeting Summary
  2005-12-19 17:37 ` Marius Mauch
@ 2005-12-19 18:07   ` Alec Joseph Warner
  2005-12-19 18:37   ` Mike Frysinger
  2005-12-19 18:45   ` solar
  2 siblings, 0 replies; 8+ messages in thread
From: Alec Joseph Warner @ 2005-12-19 18:07 UTC (permalink / raw
  To: gentoo-dev



Marius Mauch wrote:
> On Thu, 15 Dec 2005 22:47:21 -0500
> Mike Frysinger <vapier@gentoo.org> wrote:
> 
> 
>>this months meeting wasnt too eventful, kind of quiet ... on the
>>agenda:
>>
>>- Marius: decision on multi-hash for Manifest1
>>there was a bit of hearsay about why the council was asked to
>>review/decide on this issue since we werent able to locate any
>>portage devs at the time of the meeting ...
> 
> 
> Well, it would help if the actual meeting date would be announced and
> not pushed back without notice ;)
> 
> 
>>so our decision comes with a slight caveat.  assuming the reasons 
>>our input was asked for was summarized in the e-mail originally
>>sent by Marius [1], then we're for what we dubbed option (2.5.1).
>>that is, the portage team should go ahead with portage 2.0.54 and
>>include support for SHA256/RMD160 hashes on top of MD5 hashes.  SHA1
>>should not be included as having both SHA256/SHA1 is pointless.
> 
> 
> Ok, not a problem.
> 
> 
>>it was also noted that we should probably omit ChangeLog and 
>>metadata.xml files from the current Manifest schema as digesting 
>>them serves no real purpose.
> 
> 
> You're all aware that this would break <portage-2.0.51.20 (so any
> portage version older than 6 months)? Also while they don't affect the
> build process they contain important information and are/will be parsed
> by portage, so I'm not that comfortable with dropping also the option
> of verifying them permanently.
   FYI, that version of portage is already broken by the virtuals glep 
and X11's virtual/stuff so no harm there ;)

-Alec Warner (antarus)
-- 
gentoo-dev@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] December 15th Meeting Summary
  2005-12-19 17:37 ` Marius Mauch
  2005-12-19 18:07   ` Alec Joseph Warner
@ 2005-12-19 18:37   ` Mike Frysinger
  2005-12-19 18:45   ` solar
  2 siblings, 0 replies; 8+ messages in thread
From: Mike Frysinger @ 2005-12-19 18:37 UTC (permalink / raw
  To: gentoo-dev; +Cc: lucass

On Mon, Dec 19, 2005 at 06:37:16PM +0100, Marius Mauch wrote:
> On Thu, 15 Dec 2005 22:47:21 -0500
> Mike Frysinger <vapier@gentoo.org> wrote:
> > there was a bit of hearsay about why the council was asked to
> > review/decide on this issue since we werent able to locate any
> > portage devs at the time of the meeting ...
> 
> Well, it would help if the actual meeting date would be announced and
> not pushed back without notice ;)

we've taken steps with automating future announcements since this
months meeting was a bit under-publicized

> One thing solar has pointed out is that in countries with stupid laws
> pycrypto violates some patents so currently we cannot ship it in stages
> or binary packages (so I'm told, I'm neither a lawyer nor someone who
> is affected by such laws). This is probably something releng and the
> python herd have to deal with.

this shouldnt be too much of an issue

Lukasz: mind if i commit support for USE=bindist or you guys want a bug
to track it ?
-mike
-- 
gentoo-dev@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] December 15th Meeting Summary
  2005-12-19 17:37 ` Marius Mauch
  2005-12-19 18:07   ` Alec Joseph Warner
  2005-12-19 18:37   ` Mike Frysinger
@ 2005-12-19 18:45   ` solar
  2005-12-19 19:29     ` Marius Mauch
  2005-12-20  3:01     ` Brian Harring
  2 siblings, 2 replies; 8+ messages in thread
From: solar @ 2005-12-19 18:45 UTC (permalink / raw
  To: gentoo-dev; +Cc: releng, python

On Mon, 2005-12-19 at 18:37 +0100, Marius Mauch wrote:
> On Thu, 15 Dec 2005 22:47:21 -0500
> Mike Frysinger <vapier@gentoo.org> wrote:
> 
> > this months meeting wasnt too eventful, kind of quiet ... on the
> > agenda:
> > 
> > - Marius: decision on multi-hash for Manifest1
> > there was a bit of hearsay about why the council was asked to
> > review/decide on this issue since we werent able to locate any
> > portage devs at the time of the meeting ...
> 
> Well, it would help if the actual meeting date would be announced and
> not pushed back without notice ;)
> 
> > so our decision comes with a slight caveat.  assuming the reasons 
> > our input was asked for was summarized in the e-mail originally
> > sent by Marius [1], then we're for what we dubbed option (2.5.1).
> > that is, the portage team should go ahead with portage 2.0.54 and
> > include support for SHA256/RMD160 hashes on top of MD5 hashes.  SHA1
> > should not be included as having both SHA256/SHA1 is pointless.
> 
> Ok, not a problem.
> 
> > it was also noted that we should probably omit ChangeLog and 
> > metadata.xml files from the current Manifest schema as digesting 
> > them serves no real purpose.
> 
> You're all aware that this would break <portage-2.0.51.20 (so any
> portage version older than 6 months)? Also while they don't affect the
> build process they contain important information and are/will be parsed
> by portage, so I'm not that comfortable with dropping also the option
> of verifying them permanently.
> 
> One thing solar has pointed out is that in countries with stupid laws
> pycrypto violates some patents so currently we cannot ship it in stages
> or binary packages (so I'm told, I'm neither a lawyer nor someone who
> is affected by such laws). This is probably something releng and the
> python herd have to deal with.

It's easy enough to patch the two ciphers out when USE=bindist would be
set. 

> So right now I'll go ahead and add the pycrypto code to portage, but
> will not yet add the dep to any ebuild or change anything metadata.xml
> or ChangeLog related (according to Jason 2.0.54 is still away one or
> two weeks anyway).

If you do that please set it as a blocker for the .54 release. 
Reintroducing ChangeLog/metadata.xml to Manifests would be a undesired
regression. Nothing in the portage as of <=.53 make direct use of those
two files and there is no security value in bloating the digest format
with them. Thats why they were removed 2.0.51.21

Making the argument for maybe portage in the future will use them is 
not valid as they are currently omited and we/I have been told before
by the portage team (ferringb & jstubbs iirc??) that portage itself
wont be doing any .xml parsing in it's core. IE So that means not today
nor tomorrow will anything need to depend on those files in order to
build.

-- 
solar <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-dev@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] December 15th Meeting Summary
  2005-12-19 18:45   ` solar
@ 2005-12-19 19:29     ` Marius Mauch
  2005-12-20 21:21       ` solar
  2005-12-20  3:01     ` Brian Harring
  1 sibling, 1 reply; 8+ messages in thread
From: Marius Mauch @ 2005-12-19 19:29 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 1193 bytes --]

On Mon, 19 Dec 2005 13:45:04 -0500
solar <solar@gentoo.org> wrote:

> If you do that please set it as a blocker for the .54 release. 
> Reintroducing ChangeLog/metadata.xml to Manifests would be a undesired
> regression. Nothing in the portage as of <=.53 make direct use of
> those two files and there is no security value in bloating the digest
> format with them. Thats why they were removed 2.0.51.21
> 
> Making the argument for maybe portage in the future will use them is 
> not valid as they are currently omited and we/I have been told before
> by the portage team (ferringb & jstubbs iirc??) that portage itself
> wont be doing any .xml parsing in it's core. IE So that means not
> today nor tomorrow will anything need to depend on those files in
> order to build.

Name a single portage version that does *not generate* manifest entries
for them (hint: there is none). They are only ignored right now during
verification. So it's in no way a regression.

Marius

-- 
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] December 15th Meeting Summary
  2005-12-19 18:45   ` solar
  2005-12-19 19:29     ` Marius Mauch
@ 2005-12-20  3:01     ` Brian Harring
  1 sibling, 0 replies; 8+ messages in thread
From: Brian Harring @ 2005-12-20  3:01 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 1342 bytes --]

On Mon, Dec 19, 2005 at 01:45:04PM -0500, solar wrote:
> > So right now I'll go ahead and add the pycrypto code to portage, but
> > will not yet add the dep to any ebuild or change anything metadata.xml
> > or ChangeLog related (according to Jason 2.0.54 is still away one or
> > two weeks anyway).
> 
> If you do that please set it as a blocker for the .54 release. 
> Reintroducing ChangeLog/metadata.xml to Manifests would be a undesired
> regression. Nothing in the portage as of <=.53 make direct use of those
> two files and there is no security value in bloating the digest format
> with them. Thats why they were removed 2.0.51.21
> 
> Making the argument for maybe portage in the future will use them is 
> not valid as they are currently omited and we/I have been told before
> by the portage team (ferringb & jstubbs iirc??) that portage itself
> wont be doing any .xml parsing in it's core. IE So that means not today
> nor tomorrow will anything need to depend on those files in order to
> build.
Stated otherwise in irc in regards to your metadata.xml 
patch- metadata.xml support will be core, although due to 
certain constraints it'll be optional intially.

At some point, we're going to have to push long desc into the cache; 
at that point, portage will be required to be xml aware (yay).
~harring

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] December 15th Meeting Summary
  2005-12-19 19:29     ` Marius Mauch
@ 2005-12-20 21:21       ` solar
  0 siblings, 0 replies; 8+ messages in thread
From: solar @ 2005-12-20 21:21 UTC (permalink / raw
  To: gentoo-dev

On Mon, 2005-12-19 at 20:29 +0100, Marius Mauch wrote:
> On Mon, 19 Dec 2005 13:45:04 -0500
> solar <solar@gentoo.org> wrote:
> 
> > If you do that please set it as a blocker for the .54 release. 
> > Reintroducing ChangeLog/metadata.xml to Manifests would be a undesired
> > regression. Nothing in the portage as of <=.53 make direct use of
> > those two files and there is no security value in bloating the digest
> > format with them. Thats why they were removed 2.0.51.21
...


> Name a single portage version that does *not generate* manifest entries
> for them (hint: there is none). They are only ignored right now during
> verification. So it's in no way a regression.

sigh I just checked and you are correct it does still create them, so
I'll happily recant on the word regression. It however seems pointless
to include them in creation. Currently the 2 unused lines are taking up
about ~1.1M in the tree, when we have several additional hashes I can
only imagine that it would use significantly more space than currently.

-- 
solar <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-dev@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2005-12-20 21:24 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-16  3:47 [gentoo-dev] December 15th Meeting Summary Mike Frysinger
2005-12-19 17:37 ` Marius Mauch
2005-12-19 18:07   ` Alec Joseph Warner
2005-12-19 18:37   ` Mike Frysinger
2005-12-19 18:45   ` solar
2005-12-19 19:29     ` Marius Mauch
2005-12-20 21:21       ` solar
2005-12-20  3:01     ` Brian Harring

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox