From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 96481138359 for ; Tue, 6 Oct 2020 12:13:06 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 91AEFE0B11; Tue, 6 Oct 2020 12:13:04 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 55889E0B06 for ; Tue, 6 Oct 2020 12:13:04 +0000 (UTC) Message-ID: <5d9402fde097fbb1ebc75b05e562082e9e573fcf.camel@gentoo.org> Subject: Re: [gentoo-dev] [PATCH 1/5] verify-sig.eclass: New eclass to verify OpenPGP sigs From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Date: Tue, 06 Oct 2020 14:12:58 +0200 In-Reply-To: References: <20201006095814.101719-1-mgorny@gentoo.org> <2741984c8bec9f66649b3b6b8d8bd5aeb53095e3.camel@gentoo.org> <5f8518a3afdd6bbd114b70d1bbb6c2450c9f6024.camel@gentoo.org> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-ORH1Rei7yERs3zWZKY8n" User-Agent: Evolution 3.36.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: b8f4fae1-d824-4a4b-ad5b-2298bf8f631e X-Archives-Hash: b718d3f72d2a150346e0105bc4ba1110 --=-ORH1Rei7yERs3zWZKY8n Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2020-10-06 at 14:06 +0200, Ulrich Mueller wrote: > > > > > > On Tue, 06 Oct 2020, Micha=C5=82 G=C3=B3rny wrote: > > On Tue, 2020-10-06 at 13:34 +0200, Ulrich Mueller wrote: > > > > > > > > On Tue, 06 Oct 2020, Micha=C5=82 G=C3=B3rny wrote: > > > > On Tue, 2020-10-06 at 13:18 +0200, Ulrich Mueller wrote: > > > > > > > > > > On Tue, 06 Oct 2020, Micha=C5=82 G=C3=B3rny wrote: > > > > > > +IUSE=3D"+verify-sig" > > > > >=20 > > > > > At least don't enable this by default. The feature increases > > > > > build time and has little (if any) benefits. > > > > Do you have any numbers to back this claim? > > >=20 > > > That's a strange question. Obviously build time can only increase if > > > you install an additional dependency and download an additional > > > distfile. > > But how significant is the increase? Can you actually measure it > > without trying hard to make things slow? >=20 > IMHO it has no benefit at all for users, because distfile integrity is > already guaranteed by digests. So this is a second and redundant method. > On the other hand, it causes download of additional distfiles which may > not be wanted by most users. >=20 > > If you are going to claim that it outweighs the 'little' benefit, you > > need to try harder than that. >=20 > No. You are the one who wants to introduce a new feature, so it's up to > you to motivate why (and how) adding a redundant method of distfile > verification would make things more secure on the users' side. >=20 The eclassdoc answers this question already. Anyway, v2 disables it by default, so your concern should be resolved. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-ORH1Rei7yERs3zWZKY8n Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAl98X0pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM3 NkE4NDUwOTQwOThEMjhDQzhCMjZDNTYzOUFEQUUyMzI5RTI0MEUACgkQY5ra4jKe JA6UiQf/T20jC0zZQw3IyCs0k9oHYN3HmVccPS+5Xe4OvY7HHQeqHD/7pY0mgKPp M41vnGWqmiB6MlWkgN0tg/nWGiLAbUVTdn0WTe4JdCw3JcHFEVfXBHbjWopp9eY/ rdmcxINspMmlc1fBpABVs921vEz2GPnmGGpz7XVHOPAJ5Vd7KpKCIQM82zMIS3hw AHSWysOYrseYRe7DNmyHx07WDrGQwmMFKF9ZRr9SCQTTQyf0arciVIqL6XtDSAFm lfIRo8u/PgfTmKTx9/8+hfl6Q03jBr+39+noZ7SttvaHRRevMwn3QsCY9+EWWzid /dj7h+V0r6j37dHVXU0sacAENJyVUw== =eKPm -----END PGP SIGNATURE----- --=-ORH1Rei7yERs3zWZKY8n--