From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 9544 invoked by uid 1002); 7 Dec 2003 15:53:08 -0600 Mailing-List: contact gentoo-portage-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail Reply-To: gentoo-portage-dev@gentoo.org X-BeenThere: gentoo-portage-dev@gentoo.org Received: (qmail 25227 invoked from network); 7 Dec 2003 15:53:07 -0600 From: Douglas Russell Organization: Gentoo Linux To: gentoo-portage-dev@gentoo.org, Douglas Russell Date: Sun, 7 Dec 2003 21:53:11 +0000 User-Agent: KMail/1.5.4 References: <200312050158.17479.george@gentoo.org> <200312071412.08154.tradergt@smelser.org> <200312072101.08245.puggy@gentoo.org> In-Reply-To: <200312072101.08245.puggy@gentoo.org> MIME-Version: 1.0 Content-Description: clearsigned data Content-Disposition: inline Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <200312072153.21392.puggy@gentoo.org> Subject: Re: [gentoo-portage-dev] gpg signing of Manifests X-Archives-Salt: 3cd8d151-dba8-4bd3-9cfc-ffa5924c5a93 X-Archives-Hash: c54073c0955b7a743cbd9906154dd572 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, it has been brought to my attention that conveniantly the parsing of the current Manifest file only looks at lines starting with MD5, so option (a) = is indeed possible after all. It basically replaces option (b) but without the problem of increasing the number of files in portage in the short term. This now looks like the easiest solution to implement but still their is th= e=20 ease of parsing argument for the seperate signatures. Puggy On Sunday 07 December 2003 9:01 pm, Douglas Russell wrote: > ok. basically I'm trying to get a jump on the rest of portage to allow us > (through repoman) to get the tree populated with signed Manifests ready f= or > when portage is able to use them. > > Their are several choices available for where the sigs will be, and vario= us > advantages and disadvantages. I'm basically waiting to implement one of > these until a decision is made. It will then be ready in short order and > ready to use as soon as carpaski applies the patch against portage and > commits it, etc. > > Choices: > > a) Signing inline in current Manifest file. > > Advantages > 1) Low filestorage overhead in the short and long term > > Disadvantages > 1) Current versions of portage will be unable to parse these files > 2) More difficult to parse and post than a seperate signature. > > Overall > Basically (a) is an impossibility as it would require everyone to upgrade > portage before introuducing signing. > > > b) Signing inline in a new Manifest.asc file > > Advantages > 1) Gets around the problem of old/new portage as old portage will continue > to use the Manifest files and new portage will use the new signed > Manifest.asc files as soon as that "new" portage exists. The old Manifests > can be phased out after a time. > 2) Increase in number of files in portage tree is only in the short term > > Disadvantages > 1) Increase in number of files in portage tree in the short term. > 2) More difficult to parse and post than a seperate signature. > > Overall > Possible, can be implemented now, best implementation from a portage tree > size point of view. > > c) Detached Signing in a Manifest.asc file > > Advantages > 1) Gets around the problem of old/new portage as old portage will continue > to use the Manifest files and new portage will use the new signed > Manifest.asc in conjunction with the old Manifest files as soon as that > portage exists. 2) Easy to parse and post, especially for uses such as > grabbing the sigs for posting on packages.gentoo.org > > Disadvantages > 1) Increase in number of files in portage tree in short and long term > > Overall > Possible, can be implemented now, best implementation from a usability > point of view > > ____________________________ > > Swift responses would be appreciated as I want to get this into repoman as > soon as possible so that at the very least, wary users can manually check > their Manifests signatures if they are worried. This will also enable the > rest of portage to use the signatures as soon as it is ready to use them. > > Apologies for cross-posting this to -core but I thought everyone should be > aware of this issue seeing as it has been brought to all our attentions of > late. Please continue the discussion on gentoo-portage-dev@gentoo.org lis= t. > > Puggy =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/06FPXYnvgFdTojMRAqZXAJ9WZtxtUjSTB8GF19SAmHX/G2UeEQCfYXSY 64boL8x1e5cZCc9GtuSaHgk=3D =3DmynT =2D----END PGP SIGNATURE----- -- gentoo-portage-dev@gentoo.org mailing list