Hi, Something like this was I believe the original idea behind signed manifests. Not sure how long ago this was, but we used to sign Manifest files at some point, though it never was part of any consistent concept as far as I know, and they weren't checked regularly.
Anything like this comes with some obvious problems that you need to answer if you want to have such a system: * How are you keeping the keys up to date? Which keys are included there? All currently active developers? All active and former developers? * What happens if a key expires? Do you accept expired signatures if the package has been committed before the expiration date? Or is there some kind of resign process if that happens? Does the developer have to do this himself or can other developers do this? If it's up on the developer what happens if he's inactive / on long holiday / not reachable when his key expires? * What happens if a key is revoked, because a developer decides to create a new key? Same question as with expired keys: Do all signatures need to be recreated? How's that going to happen? * What happens if a developer leaves Gentoo? We'll still want to have his packages. Again a resign procedure? I don't want to say this is unworkable. But these are challenges and imho fixing them all is really, really tricky. Either you break stuff regularly or you have procedures that someone has to do regularly in order to avoid breakage (more work for gentoo devs) or you expand the scope of accepted signatures very excessively. And I believe these challenges are one of the reasons the old attempts to have a signed Gentoo never went anywhere. I'm glad we have some form of signed Gentoo now, even if it relies on some centralized infrastructure. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42