Re: [gentoo-dev] Git, GPG Signing, and Manifests

[NP-Hardass <NP-Hardass@gentoo.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/16/2015 09:25 PM, Brian Dolbec wrote:
> On Thu, 16 Jul 2015 21:13:09 -0400 NP-Hardass
> <NP-Hardass@gentoo.org> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
> 
>> Not sure if this has been covered in some of the rather long
>> chains of late, but I was thinking about GPG signing, and how the
>> proposed workflow requires every developer to sign their commits.
>> Currently, it's advised that every manifest be signed.  As far as
>> I know, there are a number that are not.  When a manifest is
>> signed, the author is saving a state, and providing a means to
>> check it has not changed.
> 
>> Additionally, I feel that a signature is a means of acknowledging
>> that a package has been looked over, and that developer has
>> stated that they approve of the existing state.  I'm not sure if
>> others agree with that sentiment, but if anyone does, my question
>> is, how does the conversion process to git handle these packages,
>> where the manifests are not signed.  Is there an intention to
>> blanket cover all packages when we switch to git?  Will these
>> packages be copied over directly and still maintain their
>> unsigned manifest (I think this is unlikely as I read that there
>> would be a switch to thin manifests, requiring regeneration)? If
>> the community doesn't view the signature of the manifest as I
>> just described, then a blanket signing would be fine.
> 
>> Would appreciate your thoughts either way, as I could be
>> overthinking the issue :P
> 
>> - -- NP-Hardass
> 
> 
> No, with the git working tree, we will switch to thin manifests and
> the entire commit will be signed.  Not only that, but the push to
> the main server will also be signed (a push may contain commits
> signed by a different person that the person pushing).
> 
> For the regular rsync tree, Full manifests will be regenerated as 
> needed and signed by a common infra supplied gpg key.  So for
> general users, it will be easy to verify without having all gentoo
> devs gpg keys.  That will be different for users of the git tree.
> 
> 
> 

Ah ha. so, with thin manifests, we as devs don't sign the manifest, me
sign the commit.

The infra key for the user facing tree makes sense.  Thanks for
filling me in.  So, will infra  be using that key to do the initial
commit to the repo?

Are there plans to the make the repo, w/ metadata and signed by infra,
available to end users as a rsync alternative?

And my apologies to all for the multiple messages.  My cron plugin for
my email client is wonking.

- -- 
NP-Hardass
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJVqHEbAAoJEBzZQR2yrxj7jVMQALWoMkXzxapjYlBaGtOk5eyd
XQQuWH6m4U+9DrzQRJEeaCivIJmzXHPAVU6Rd40gBGqlSTMoJKm2pIMkxGvDLLd7
zIwuPolamQhFM0vhkUOidfgBqvCbFJV5rFTKtIPXg28JivoY7omi4/oANd0V8L7A
YRik152d2cFW+rdITLhgf3JNky99yOy4NR3SYB/dQY+E8D+5RaCXjy/EqjNqbsin
To+/far3d5e2/Z7dDlfyuhYyG6dwbFl8vY7RN+eERH68GTqj2bjy2EL0T9FAVwWI
O9i4T1sRIneYVfd3MEoLwkPHjhfDOmP/zLloFaqT9AUtiVlVf9vMy5dKXHva1OTe
cmNicf66YBsSD2J6mMRHE4N7iTn8tpI5W7+WpXa2gyEeqWwDwbENxNU1IHlZ0Ys7
cHpfhkx63oWwvDQX3XKjl1fUjoVEoJ/6HhHNWboLaAxJ/XUcZCAGNEaF9NVtE0FN
VUFmU7ZU1GLkk+MAKxpwdMqa9+LJ+Sr+4/NzF1ceE54yoq0ks+PfafyMybseOptK
bKbiAQ4/GvDB3Tpw4S2QuqYZ3pT/enxYET3v8YxVPE6Hw79RYeaMtEEnm0Niy29k
CHUT6T0Ul3IfS6LQZtEwC40Izs/usM+HH2XuYP3OfkBLgK8LUhEUcVNiC6B6frUD
M6d04xGeSvDVMo9vBoYb
=Fufx
-----END PGP SIGNATURE-----