From: Ulrich Mueller <ulm@gentoo.org>
To: "Michał Górny" <mgorny@gentoo.org>
Cc: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH 1/5] verify-sig.eclass: New eclass to verify OpenPGP sigs
Date: Tue, 06 Oct 2020 13:17:05 +0200 [thread overview]
Message-ID: <u1ribob7y@gentoo.org> (raw)
In-Reply-To: <20201006095814.101719-1-mgorny@gentoo.org> ("Michał Górny"'s message of "Tue, 6 Oct 2020 11:58:10 +0200")
[-- Attachment #1: Type: text/plain, Size: 694 bytes --]
>>>>> On Tue, 06 Oct 2020, Michał Górny wrote:
> verify-sig eclass provides a streamlined approach to verifying upstream
> signatures on distfiles. Its primary purpose is to permit developers
> to easily verify signatures while bumping packages. The eclass removes
> the risk of developer forgetting to perform the verification,
> or performing it incorrectly, e.g. due to additional keys in the local
> keyring. It also permits users to verify the developer's work.
We've already discussed it in #-qa, and I still think that this is
over-engineered. Users can validate the distfile by the Manifest and its
signature, so exposing the feature to users is redundant.
Ulrich
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
next prev parent reply other threads:[~2020-10-06 11:17 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-06 9:58 [gentoo-dev] [PATCH 1/5] verify-sig.eclass: New eclass to verify OpenPGP sigs Michał Górny
2020-10-06 9:58 ` [gentoo-dev] [PATCH 2/5] use.desc: Add verify-sig flag Michał Górny
2020-10-06 9:58 ` [gentoo-dev] [PATCH 3/5] app-crypt/openpgp-keys-miniupnp: Package keys used by miniupnp upst Michał Górny
2020-10-06 11:26 ` Ulrich Mueller
2020-10-06 11:44 ` Michał Górny
2020-10-06 9:58 ` [gentoo-dev] [PATCH 4/5] net-libs/miniupnpc: Use verify-sig.eclass Michał Górny
2020-10-06 9:58 ` [gentoo-dev] [PATCH 5/5] dev-python/miniupnpc: " Michał Górny
2020-10-06 10:24 ` Alexey Sokolov
2020-10-06 11:47 ` Michał Górny
2020-10-06 11:17 ` Ulrich Mueller [this message]
2020-10-06 11:49 ` [gentoo-dev] [PATCH 1/5] verify-sig.eclass: New eclass to verify OpenPGP sigs Frédéric Pierret
2020-10-06 11:59 ` Ulrich Mueller
2020-10-06 11:18 ` Ulrich Mueller
2020-10-06 11:25 ` Michał Górny
2020-10-06 11:34 ` Ulrich Mueller
2020-10-06 11:46 ` Michał Górny
2020-10-06 12:06 ` Ulrich Mueller
2020-10-06 12:12 ` Michał Górny
2020-10-10 20:10 ` Thomas Deutschmann
2020-10-10 20:36 ` Michał Górny
2020-10-11 13:40 ` Thomas Deutschmann
2020-10-11 14:35 ` Joonas Niilola
2020-10-12 15:24 ` Alec Warner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=u1ribob7y@gentoo.org \
--to=ulm@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
--cc=mgorny@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox