On Fri, Aug 14, 2015 at 8:45 AM, Kristian Fiskerstrand <k...@gentoo.org> wrote: > >> >> 2. The question is why manifests are modified for rsync. In git >> manifests are thin (only distfiles are there), in rsync they also >> contain checksums for ebuilds and files dir content. Do we really >> need this? These manifests are not signed now, so of little use. > > They will be OpenPGP signed by a releng key during thickening and > portage will auto-verify it using gkeys once things are in place. As > such checksum for ebuilds and other files certainly needs to be part > of the manifest, otherwise it can open up for malicious alterations of > these files. >
As much as I'd love to see it all folded into git, the reality is also that git signatures are only bound to files by a series of sha1 hashes, and sha1 is not a strong hash function. Git really ought to move to sha256 at some point, preferably in a manner that makes it expandable in the future to other hash functions. But, this isn't a high-priority for upstream. The same limitation is true of any git gpg signature, including tag signatures. It is all held together by sha1. The manifest system is much stronger. -- Rich
