On 03/24/2011 04:59 PM, Mike Frysinger wrote:
this is especially important for the people doing arch keywording
since they make a ton of commits. i'm looking at you armin76.
One thing I don't get amidst this whole conversation is why I should
sign a Manifest file when committing KEYWORDS or
On Sun, 27 Mar 2011 17:04:56 -0500
Jeremy Olexa darks...@gentoo.org wrote:
this is especially important for the people doing arch keywording
since they make a ton of commits. i'm looking at you armin76.
One thing I don't get amidst this whole conversation is why I should
sign a
В Чтв, 24/03/2011 в 17:59 -0400, Mike Frysinger пишет:
is there any reason we should allow people to commit unsigned
Manifest's anymore ?
Why? Without policy on how we do that and more importantly how we check
that signing makes no sense...
--
Peter.
On Friday 25 March 2011 11:11:12 Peter Volkov wrote:
В Чтв, 24/03/2011 в 17:59 -0400, Mike Frysinger пишет:
is there any reason we should allow people to commit unsigned
Manifest's anymore ?
Why? Without policy on how we do that and more importantly how we check
that signing makes no
On 3/24/11 10:59 PM, Mike Frysinger wrote:
is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse for a dev to not have
done this already.
Firstly, I'm excited we're moving
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/25/2011 07:55 AM, Paweł Hajdan, Jr. wrote:
On 3/24/11 10:59 PM, Mike Frysinger wrote:
is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 25 Mar 2011 07:59:49 -0400
Dane Smith c1p...@gentoo.org wrote:
Having said that, for those that just use keys for e-mails (most of
us), it would make more sense to use full blow SSL certs in the long
run. (Mathematically, same thing. But a
Having said that, for those that just use keys for e-mails (most of
us), it would make more sense to use full blow SSL certs in the long
run. (Mathematically, same thing. But a cert needs to be signed by a
CA, and we should ideally maintain a Gentoo CA.) I need to get up to
speed with
On 3/25/11 3:43 PM, Michał Górny wrote:
How about Gentoo Foundation funding devs a full blown X509 client
certs?
Let's get signing and verifying working first, and then consider
anything that requires funding.
signature.asc
Description: OpenPGP digital signature
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/25/2011 11:04 AM, Paweł Hajdan, Jr. wrote:
On 3/25/11 3:43 PM, Michał Górny wrote:
How about Gentoo Foundation funding devs a full blown X509 client
certs?
Let's get signing and verifying working first, and then consider
anything that
On Fri, Mar 25, 2011 at 6:11 AM, Peter Volkov wrote:
В Чтв, 24/03/2011 в 17:59 -0400, Mike Frysinger пишет:
is there any reason we should allow people to commit unsigned
Manifest's anymore ?
Why? Without policy on how we do that and more importantly how we check
that signing makes no
i dont expect the rejection to go into effect $now, so people not
signing have plenty of time to start doing so
Is the additional effort of implementing this for CVS with the current
two-stage commit even worth it?
I.e. would it not make more sense to wait _with the automated rejection_ until
On 2011-03-25 1:59 PM, Dane Smith wrote:
Having said that, for those that just use keys for e-mails (most of
us), it would make more sense to use full blow SSL certs in the long run.
Please no. PKI is a naive design and for all intents and purposes will
remain a pipe-dream. All security
is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse for a dev to not have
done this already.
when i look at the tree, the signed stats are stupid low:
$ find *-* -maxdepth 2
On Thu, Mar 24, 2011 at 05:59:45PM -0400, Mike Frysinger wrote:
is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse for a dev to not have
done this already.
when i look at
On Thu, 2011-03-24 at 17:59 -0400, Mike Frysinger wrote:
is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse for a dev to not have
done this already.
I didn't know we still
On 03/24/2011 11:59 PM, Mike Frysinger wrote:
is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse for a dev to not have
done this already.
Also submitting the quizzes
On Thu, Mar 24, 2011 at 5:59 PM, Mike Frysinger vap...@gentoo.org wrote:
is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse for a dev to not have
done this already.
Is
Le 24/03/2011 22:59, Mike Frysinger a écrit :
is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse for a dev to not have
done this already.
I, for one, have never signed my
On Thu, Mar 24, 2011 at 6:28 PM, Mike Gilbert wrote:
Is there some plan to make verification of signed Manifests easy/automatic
for end users?
the end goal is for it to be transparent when it works. emerge itself
would check things as part of its digest verification.
as to the current state
On Thu, 24 Mar 2011 17:59:45 -0400
Mike Frysinger vap...@gentoo.org wrote:
is there any reason we should allow people to commit unsigned
Manifest's anymore ?
Funny that. I only started doing that Yesterday. It had been on my TODO
for a couple of years. :)
jer
On Thu, Mar 24, 2011 at 6:42 PM, Rémi Cardona wrote:
PS, wasn't manifest-signing supposed to become moot once we moved to git?
not in the least. git only provides SHA1 which is not
cryptographically strong, and we will still be mirroring only the
latest checkout via rsync. the hashs in git
Jeroen Roovers dixit (2011-03-25, 00:50):
On Thu, 24 Mar 2011 17:59:45 -0400
Mike Frysinger vap...@gentoo.org wrote:
is there any reason we should allow people to commit unsigned
Manifest's anymore ?
Funny that. I only started doing that Yesterday. It had been on my TODO
for a
On Thu, Mar 24, 2011 at 8:09 PM, Antoni Grzymala wrote:
Jeroen Roovers dixit (2011-03-25, 00:50):
On Thu, 24 Mar 2011 17:59:45 -0400 Mike Frysinger wrote:
is there any reason we should allow people to commit unsigned
Manifest's anymore ?
Funny that. I only started doing that Yesterday. It
On Thu, Mar 24, 2011 at 06:08:53PM -0400, Olivier Crête wrote:
On Thu, 2011-03-24 at 17:59 -0400, Mike Frysinger wrote:
is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse
On Thu, Mar 24, 2011 at 8:21 PM, Brian Harring wrote:
On Thu, Mar 24, 2011 at 06:08:53PM -0400, Olivier Crête wrote:
On Thu, 2011-03-24 at 17:59 -0400, Mike Frysinger wrote:
is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg
26 matches
Mail list logo