From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 89E38138359 for ; Tue, 6 Oct 2020 11:17:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 673D0E0A46; Tue, 6 Oct 2020 11:17:11 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2F35FE08FF for ; Tue, 6 Oct 2020 11:17:11 +0000 (UTC) From: Ulrich Mueller To: =?utf-8?B?TWljaGHFgiBHw7Nybnk=?= Cc: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [PATCH 1/5] verify-sig.eclass: New eclass to verify OpenPGP sigs In-Reply-To: <20201006095814.101719-1-mgorny@gentoo.org> (=?utf-8?Q?=22Mic?= =?utf-8?Q?ha=C5=82_G=C3=B3rny=22's?= message of "Tue, 6 Oct 2020 11:58:10 +0200") References: <20201006095814.101719-1-mgorny@gentoo.org> Date: Tue, 06 Oct 2020 13:17:05 +0200 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1.50 (gnu/linux) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Archives-Salt: 9a7f7b2f-7d9d-44a7-96e9-89557f2f3c9f X-Archives-Hash: 10915e691b97320bb9efab35a74b9a04 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable >>>>> On Tue, 06 Oct 2020, Micha=C5=82 G=C3=B3rny wrote: > verify-sig eclass provides a streamlined approach to verifying upstream > signatures on distfiles. Its primary purpose is to permit developers > to easily verify signatures while bumping packages. The eclass removes > the risk of developer forgetting to perform the verification, > or performing it incorrectly, e.g. due to additional keys in the local > keyring. It also permits users to verify the developer's work. We've already discussed it in #-qa, and I still think that this is over-engineered. Users can validate the distfile by the Manifest and its signature, so exposing the feature to users is redundant. Ulrich --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAl98UjEPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uFqMH/0bkMJPR7L6BbWNcVCPWOxXjoCJrHDi3S8+M E7YDu6stP8JdysRGCQ1Y29pbB3u6tYYKQ1QoB8Q3tVj9lCqEJKU3Ujwc4N2qM+0u PuZ9S9K44+rWdl4O45RJOsFD+ktxqbgeUhuDLnSbl5iEDTUYyedP2tNd+9nrbds/ pN9PlAIK+0uCDgQOcMTuEcwYgj7HUvCI/89Y+M+IHDF+8ohPLlDoo/V8Mgiunil+ DZ+mRIGSnBvW0xlIVAdqElywlyj3Hg5q2FQ0WSZ4sFaBoP3/GctwK5aRScWNjoiI uVK3NSnpUuEIbRn7yxcsbUbVb3PHga1M/jQDPmQ/infjslqm//Q= =DLds -----END PGP SIGNATURE----- --=-=-=--