From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 27856 invoked by uid 1002); 7 Dec 2003 15:00:56 -0600 Mailing-List: contact gentoo-portage-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail Reply-To: gentoo-portage-dev@gentoo.org X-BeenThere: gentoo-portage-dev@gentoo.org Received: (qmail 18813 invoked from network); 7 Dec 2003 15:00:55 -0600 From: Douglas Russell Organization: Gentoo Linux To: gentoo-portage-dev@gentoo.org Date: Sun, 7 Dec 2003 21:01:03 +0000 User-Agent: KMail/1.5.4 References: <200312050158.17479.george@gentoo.org> <200312072059.53553.lafou@wanadoo.fr> <200312071412.08154.tradergt@smelser.org> In-Reply-To: <200312071412.08154.tradergt@smelser.org> Cc: gentoo-core@gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: clearsigned data Content-Disposition: inline Message-Id: <200312072101.08245.puggy@gentoo.org> Subject: [gentoo-portage-dev] gpg signing of Manifests X-Archives-Salt: 3155b299-4125-4ac6-8a5c-8cc3a387a023 X-Archives-Hash: 92813acd320430239bf5adbf27bbe21e =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ok. basically I'm trying to get a jump on the rest of portage to allow us=20 (through repoman) to get the tree populated with signed Manifests ready for= =20 when portage is able to use them. Their are several choices available for where the sigs will be, and various= =20 advantages and disadvantages. I'm basically waiting to implement one of the= se=20 until a decision is made. It will then be ready in short order and ready to= =20 use as soon as carpaski applies the patch against portage and commits it,=20 etc. Choices: a) Signing inline in current Manifest file. Advantages 1) Low filestorage overhead in the short and long term Disadvantages 1) Current versions of portage will be unable to parse these files 2) More difficult to parse and post than a seperate signature. Overall Basically (a) is an impossibility as it would require everyone to upgrade=20 portage before introuducing signing. b) Signing inline in a new Manifest.asc file Advantages 1) Gets around the problem of old/new portage as old portage will continue = to=20 use the Manifest files and new portage will use the new signed Manifest.asc= =20 files as soon as that "new" portage exists. The old Manifests can be phased= =20 out after a time. 2) Increase in number of files in portage tree is only in the short term Disadvantages 1) Increase in number of files in portage tree in the short term. 2) More difficult to parse and post than a seperate signature. Overall Possible, can be implemented now, best implementation from a portage tree s= ize=20 point of view. c) Detached Signing in a Manifest.asc file Advantages 1) Gets around the problem of old/new portage as old portage will continue = to=20 use the Manifest files and new portage will use the new signed Manifest.asc= =20 in conjunction with the old Manifest files as soon as that portage exists. 2) Easy to parse and post, especially for uses such as grabbing the sigs fo= r=20 posting on packages.gentoo.org Disadvantages 1) Increase in number of files in portage tree in short and long term Overall Possible, can be implemented now, best implementation from a usability poin= t=20 of view ____________________________ Swift responses would be appreciated as I want to get this into repoman as= =20 soon as possible so that at the very least, wary users can manually check=20 their Manifests signatures if they are worried. This will also enable the=20 rest of portage to use the signatures as soon as it is ready to use them. Apologies for cross-posting this to -core but I thought everyone should be= =20 aware of this issue seeing as it has been brought to all our attentions of= =20 late. Please continue the discussion on gentoo-portage-dev@gentoo.org list. Puggy =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/05UTXYnvgFdTojMRAggGAKCY65KRWeYmTABNbkuUwXOIkcGgqACbBQ/K 8WIcisb+VwYmyEMEQrQts0o=3D =3Dcbed =2D----END PGP SIGNATURE----- -- gentoo-portage-dev@gentoo.org mailing list