Brian Harring wrote: [Sun Feb 20 2005, 05:33:40PM EST] > Err... enforcement in terms of forcing devs to sign everything? > That is only part of the pie. Take a _hard_ look at eclasses. > Then, take an even _harder_ look at profile bashrc's, and what they > technically are capable of, and the fact that all installations use > a profile (atm, there isn't a common profile that all inherit from, > but at some point it may occur).
Oh yeah. I, um, forgot all that ;-) > So yeah. Assuming glep33 is greenlighted (a touch up will be posted > in the next few days of it), eclass/elib signing I'll be handling. > Profile signing is another beast that's needed, and help would be > appreciated (as always, clean patches/discussion of how to do it > properly/etc is always welcome). > > Beyond that, to save the portage devs sanity from people screaming > "SHA1 is broken!" (it's not, just weakened), I'll be looking at > centralizing, and making the digest code a bit more pluggable- > basically do a handler setup, mapping a CHF to a function... Cool, thanks for the reminder/update on these issues. Regarding profile signing... how about putting a (signed) manifest in each directory under portage/profiles? Only stuff in the immediate directory would be included, not the subdirs. Regards, Aron -- Aron Griffis Gentoo Linux Developer
pgpErzLY5VdIl.pgp
Description: PGP signature
