On 07/02/2018 08:08 PM, Jason A. Donenfeld wrote: > On Mon, Jul 2, 2018 at 7:57 PM Rich Freeman <ri...@gentoo.org> wrote: >> This only helps you if a dev you don't trust is compromised. If a dev >> you trust is compromised, they can modify anything in the tree and >> you're hosed. > Yes indeed. This is more or less what we're aiming for. Putting the > trust in developers. The goal is for infra not to be the weak link in > this, as it currently is. > >> Sure, I'd prefer to not extract git signatures and just distribute via >> git purely without any rsync. > Yea, I personally don't really care much for rsync either. I've just > kind of been assuming this is a requirement of any gentoo solution. > But maybe this whole thing should take another dimension, and we > should instead talk about sunsetting rsync, and moving to a model of: > 1) git fetch, 2) git verify, 3) git checkout? There still might be > problems with "untrusting" devs, as I wrote above, but perhaps there's > room to grow within the git framework, by manually filtering commits > during checkout, or even by imposing ebuild directory signature-based > ACLs that I think you were hinting at before. So, sure, if you want to > call for an abolition of rsync, maybe I'd follow you in that direction > instead of the one here I'm proposing. > >
picking a semi-random post to respond to, but the key management you're introducing with such a proposal is just silly. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature