On 24/04/2023 18.11, Florian Schmaus wrote:
I like to ask the Gentoo council to vote on whether EGO_SUM should be reinstated ("un-deprecated") or not.
I am thankful that the council considered my request to vote on the topic. However, the council decided not to vote on this in its last session and to return the issue to the mailing lists.
Some see the requirement of some limitations as necessity it comes to reinstating EGO_SUM. Unfortunately, I could not see specific numbers mentioned since June 2022 in the three EGO_SUM threads [1, 2, 3] I am aware of.
To prevent harm from Gentoo, we should reach an agreement that everyone can live with. To achieve a consensus, and since I can not rule out that I missed a post that includes specific numbers, please share your ideas on how EGO_SUM could be reinstated in ::gentoo by replying to this mail.
Having EGO_SUM would significantly increase the security of Gentoo's users (amongst other benefits).
Personally, I do not see that we currently need any form of limitation to reinstate EGO_SUM. I substantiated this with data based on a two-year history analysis of gentoo.git. The summary is that the
- size increase of ::gentoo is unproblematic for users - additional sync delta of ::gentoo is unproblematic for users - higher rate of gentoo.git's increase is unproblematic for developers when we reinstate EGO_SUM in ::gentoo.Therefore, we could (and IMHO should) simply un-deprecate EGO_SUM. However, I would review this decision once the number of Go packages has doubled or in two years (whatever comes first).
Many share the concerns of an EGO_SUM-less world. I know that some seek a compromise by reinstating EGO_SUM with some limitations. The ::gentoo repository is able to handle packages (at least) up to the range of 2 to 1.5 MiB total package-directory size. Therefore I propose a limit in that range.
- Flow 1: https://firstname.lastname@example.org/msg95175.html 2: https://email@example.com/msg95279.html 3: https://firstname.lastname@example.org/msg97310.html
Description: OpenPGP public key
Description: OpenPGP digital signature