Hello,

I would like to propose a new attempt at Manifest signatures. Instead
of using a single per-Manifest signature, we would keep separate
signatures for each of the files, as an additional (optional) hash
type.


Motivation
----------
The current signing approach gives all the responsibility for Manifest
signature to the developer who committed last update to the ebuild
directory regardless of the actual commit significance.

Consider the following: Dev A is the primary package maintainer. He/she
reviewed all the ebuilds and committed a signed Manifest. Then Dev B
performs a slight cleanup of the ebuild directory. He/she modifies
metadata.xml a little and/or removes an old ebuild.

The actual ebuilds weren't modified -- yet Dev B has to sign all
of them once again. Moreover, if Dev B doesn't use Manifest signing,
the signature from Dev A is lost.


The solution
------------
As a solution for this I suggest making the GPG signatures per-file,
simply creating an additional hash type for them. For example,
a single Manifest line would look like:

EBUILD foo-1.ebuild 1000 RMD160 ... SHA1 ... SHA256 ... GPG ...

Where the GPG signature will be an explicit signature done by the dev
modifying (or reviewing) a particular file. Then, if another dev
modifies a single file, the signatures for other files would be
untouched.


Potential issues
----------------
This signing model does not provide a mechanism for signing file
removals. In other words, if a dev does remove files only, he/she won't
leave any signature changes at all. If there's a reason to do that, we
can consider using a complete Manifest file signature in parallel.

-- 
Best regards,
Michał Górny