-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/16/2015 09:25 PM, Kent Fredric wrote: > On 17 July 2015 at 13:13, NP-Hardass <np-hard...@gentoo.org> > wrote: >> Additionally, I feel that a signature is a means of acknowledging >> that a package has been looked over, and that developer has >> stated that they approve of the existing state > > > That much is somewhat implied by a developer owning a commit. > Because in git, single commits span multiple files. > > There's GIT_COMMITER and GIT_AUTHOR values in every commit. > > And a "Signature" is a digital proof that Joe Bloggs didn't forge > a commit, label it "NP-Hardass" and push it on to some server > pretending to be NP-Hardass. > > It might sound like a rubber stamping, but its no more rubber > stamped than our current workflow where signature generation is > automatic and having a signed manifest doesn't in fact mean it > *has* been looked at, its only signing who touched it last. > > For NSA to break a Manifest, they'd need to update an entry and > resign it, and then we could later work out who signed what > manifests if we had any problem >
Yeah, I understand that a signed manifest doesn't mean it's been looked at. My logic was that signing and keys is pretty prolific at this point, so a signed manifest implied the package has been touched (and hopefully looked at) by a dev more recently, and those that aren't signed probably haven't been touched in a longer amount of time. - -- NP-Hardass -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJVqHLQAAoJEBzZQR2yrxj7a7YQAIlHbIcNl2FVwNOGR5ERegc+ RlqmOheNx654aM02Hcd44asTuug9Zy6cJ5k/LSGJEiqupg6EaDS7jnQAfqu+k6Lg 6JSPnfD0qUr5nrwNDvhUEH5LfVNHsKqCN9XyWvdy3Z0l+vKnyoWVCrINrTMEGCAf IkVnuAXXzo83YnJwtcczxbXsLfMpvnJK12Au9sa0H75y01Vqxw6gWvQeEww/fUl4 7L3WQCiGJnW5tI7vMVhDq9vpYFaB+VIQekLge3nf5sx6PfDBS4XHqwnUHD/wnj+i nqvjMDuyVfbc4NkDh9gW9Nk994VGu/iFBgepwT54khcuYnIVGVnad1Br69yLosDU 5DGUff1UKCQDjl8Cv88yuCf8y7zTjema3Rg09T0XqsmBWuhacw2zqESplPdlYsNj NfDCpcpr71tCP7qhy6y05O58p/ZKQDTp66OeoCghEEiYN89jjIGqT5tdWenDXJ3a j+MewMSzampvy5LTg3T0rQvirlq9rC1EXxQ+NmqXkVw2EK64HzcjM+kVyevvYuCK 2wiqEA4MAodd1LcW2gCNJ/nQ765OQjtMasEb8H/W9DryayzDLICUc3QdENXB5dMb x7bS+Ft4TbE/xXyR28MhkYXHO50qeWzlLRjueS9bSdoEPbTfe62JNBv8GvyFFxS4 aYvU5QXAjHeXSECERZdU =tWk3 -----END PGP SIGNATURE-----