[gentoo-portage-dev] gpg signing of Manifests

[Douglas Russell <puggy@gentoo.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ok. basically I'm trying to get a jump on the rest of portage to allow us 
(through repoman) to get the tree populated with signed Manifests ready for 
when portage is able to use them.

Their are several choices available for where the sigs will be, and various 
advantages and disadvantages. I'm basically waiting to implement one of these 
until a decision is made. It will then be ready in short order and ready to 
use as soon as carpaski applies the patch against portage and commits it, 
etc.

Choices:

a) Signing inline in current Manifest file.

Advantages
1) Low filestorage overhead in the short and long term

Disadvantages
1) Current versions of portage will be unable to parse these files
2) More difficult to parse and post than a seperate signature.

Overall
Basically (a) is an impossibility as it would require everyone to upgrade 
portage before introuducing signing.


b) Signing inline in a new Manifest.asc file

Advantages
1) Gets around the problem of old/new portage as old portage will continue to 
use the Manifest files and new portage will use the new signed Manifest.asc 
files as soon as that "new" portage exists. The old Manifests can be phased 
out after a time.
2) Increase in number of files in portage tree is only in the short term

Disadvantages
1) Increase in number of files in portage tree in the short term.
2) More difficult to parse and post than a seperate signature.

Overall
Possible, can be implemented now, best implementation from a portage tree size 
point of view.

c) Detached Signing in a Manifest.asc file

Advantages
1) Gets around the problem of old/new portage as old portage will continue to 
use the Manifest files and new portage will use the new signed Manifest.asc 
in conjunction with the old Manifest files as soon as that portage exists.
2) Easy to parse and post, especially for uses such as grabbing the sigs for 
posting on packages.gentoo.org

Disadvantages
1) Increase in number of files in portage tree in short and long term

Overall
Possible, can be implemented now, best implementation from a usability point 
of view

____________________________

Swift responses would be appreciated as I want to get this into repoman as 
soon as possible so that at the very least, wary users can manually check 
their Manifests signatures if they are worried. This will also enable the 
rest of portage to use the signatures as soon as it is ready to use them.

Apologies for cross-posting this to -core but I thought everyone should be 
aware of this issue seeing as it has been brought to all our attentions of 
late. Please continue the discussion on gentoo-portage-dev@gentoo.org list.

Puggy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/05UTXYnvgFdTojMRAggGAKCY65KRWeYmTABNbkuUwXOIkcGgqACbBQ/K
8WIcisb+VwYmyEMEQrQts0o=
=cbed
-----END PGP SIGNATURE-----


--
gentoo-portage-dev@gentoo.org mailing list