On Sun, May 21, 2006 at 12:10:40PM +0900, Georgi Georgiev wrote:
> Just two points:
>
> - standards should not be set by the primary package manager
> - the primary package manager does not have to be developed by Gentoo.
>
> More about it below:
>
> maillog: 20/05/2006-14:54:18(+0200): Paul de
Just two points:
- standards should not be set by the primary package manager
- the primary package manager does not have to be developed by Gentoo.
More about it below:
maillog: 20/05/2006-14:54:18(+0200): Paul de Vrieze types
> The primary package manager is the package manager that sets the
On Sat, May 20, 2006 at 06:54:44AM -0400, Peter wrote:
> On Thu, 18 May 2006 23:45:17 +0200, Patrick Lauer wrote:
>
> >The problem, in short, is how to handle the checksumming and signing of
> >gentoo-provided files so that manipulation by external entities becomes
> >difficult.
> all snip...
>
>
On Sat, May 20, 2006 at 03:21:13PM +0200, Jan Kundr?t wrote:
> I don't know much about cryptography, but could you please elaborate on
> why is using one subkey for all the stuff considered a Bad Thing?
The basic form of it, is a vulnerability towards a class of attacks that
require a large supply
On Sat, 20 May 2006 17:11:57 +0200
Paul de Vrieze <[EMAIL PROTECTED]> wrote:
> > > The primary package manager is maintained on official gentoo
> > > infrastructure, under control of gentoo developers.
> >
> > I don't really see this as a requirement. Many Linux distributions use
> > package manage
On Saturday 20 May 2006 18:00, Alec Warner wrote:
> Paul de Vrieze wrote:
> > The promissed glep on package manager requirements. Please comment on it.
> > There are some parts that may be controversial (portage has in the past
> > not provided support for reverting to stable either), but please ke
On Saturday 20 May 2006 19:45, Marius Mauch wrote:
> On Sat, 20 May 2006 15:41:37 +0100
>
> Stephen Bennett <[EMAIL PROTECTED]> wrote:
> > > The primary package manager is the package manager that sets the
> > > standards for the tree. All ebuilds in the tree must function
> > > with the pr
On Sat, 20 May 2006 15:41:37 +0100
Stephen Bennett <[EMAIL PROTECTED]> wrote:
> > The primary package manager is the package manager that sets the
> > standards for the tree. All ebuilds in the tree must function
> > with the primary package manager. As the primary package manager
> > se
Paul de Vrieze wrote:
The promissed glep on package manager requirements. Please comment on it.
There are some parts that may be controversial (portage has in the past not
provided support for reverting to stable either), but please keep the
discussion on topic.
Paul
s/primary/official/g
On Saturday 20 May 2006 11:51, Thomas Cort wrote:
> On Sat, 20 May 2006 14:54:18 +0200
>
> Paul de Vrieze <[EMAIL PROTECTED]> wrote:
> > *Primary Package Manager*
> >There is one primary package manager.
>
> Gentoo has always been about choice, could you explain what is the
> rationale behind
On Sat, 20 May 2006 15:37:54 +0100, Chris Bainbridge wrote:
> On 20/05/06, Peter <[EMAIL PROTECTED]> wrote:
>> PMFJI, but as a user, not a security expert, I had a few thoughts that I'd
>> like to throw in. Thanks to Patrick, he helped me to drill down some of
>> the ideas and I present them for c
On Saturday 20 May 2006 15:47, Dan Meltzer wrote:
> >A secondary package manager is a package manager that instead of directly
> >aiming at replacing portage as primary package manager.
>
> What does it do instead?
I've just committed a new revision, but it cooperates. A slip up on my part.
> >
On 20/05/06, Peter <[EMAIL PROTECTED]> wrote:
PMFJI, but as a user, not a security expert, I had a few thoughts that I'd
like to throw in. Thanks to Patrick, he helped me to drill down some of
the ideas and I present them for consideration. It's just a framework, so
I will be brief
Thanks for y
I agree with the basic intent here, but remain unconvinced that this is
the best way to solve the problems at hand. See below for comments on
particular parts, and for what I believe could be a more elegant
solution. It's not a complete proposal and will be rather rough around
the edges, being more
Please, don't filter --as-needed i your ebuild. If your package does not build
with --as-needed, leave the bug open, and I'll eventually take care of it
(when I have time, time constrain is my only problem).
If you filter --as-needed you are masking bugs, because the package might be
relying on
On Sat, 20 May 2006 14:54:18 +0200
Paul de Vrieze <[EMAIL PROTECTED]> wrote:
> *Primary Package Manager*
>There is one primary package manager.
Gentoo has always been about choice, could you explain what is the rationale
behind having only one primary package manager?
> All ebuilds in th
A secondary package manager is a package manager that instead of
directly aiming
at replacing portage as primary package manager.
What does it do instead?
The first restriction is that no packages in the tree must rely on
the secondary
package manager. While packages may provide a leve
Henrik Brix Andersen wrote: [Sat May 20 2006, 04:50:22AM EDT]
> On Fri, May 19, 2006 at 10:36:42PM -0400, Aron Griffis wrote:
> > Along these lines, I added my mercurial.eclass to the tree. I use it
> > personally for a couple projects, and figured it might help prevent
> > other people from needi
Robin H. Johnson wrote:
> Additionally, if the developer uses the singular primary key for a lot of
> stuff, it is more vulnerable to attack.
>
>
> Instead, the developer should create a subkey that is used for signing Gentoo
> work only. They should not sign anything else with this, including th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I have not read this carefully. There is a lot to work through. At first
reading, I like it a lot.
Regards,
Ferris
- --
Ferris McCormick (P44646, MI) <[EMAIL PROTECTED]>
Developer, Gentoo Linux (Devrel, Sparc)
-BEGIN PGP SIGNATURE-
Versi
On Sat, 2006-05-20 at 10:13 +0200, Thierry Carrez wrote:
> Patrick Lauer wrote:
>
> > Signing strategies
> > ==
> >
> > Once there is an agreement on what files to sign with what kind of keys
> > there remains the question how to sign it. There are at least three
> > strategies:
>
On Fri, 2006-05-19 at 22:03 -0400, Ned Ludd wrote:
> If there is anything you or genone need to make signing happening you
> have to the full support of the
> council
That should not be difficult if the proposal is discussed and accepted
by all other groups
> infra
it should be non-invasive and
The promissed glep on package manager requirements. Please comment on it.
There are some parts that may be controversial (portage has in the past not
provided support for reverting to stable either), but please keep the
discussion on topic.
Paul
--
Paul de Vrieze
Gentoo Developer
Mail: [EMAI
On Thu, 18 May 2006 23:45:17 +0200, Patrick Lauer wrote:
>The problem, in short, is how to handle the checksumming and signing of
>gentoo-provided files so that manipulation by external entities becomes
>difficult.
all snip...
PMFJI, but as a user, not a security expert, I had a few thoughts tha
On Fri, May 19, 2006 at 10:36:42PM -0400, Aron Griffis wrote:
> Along these lines, I added my mercurial.eclass to the tree. I use it
> personally for a couple projects, and figured it might help prevent
> other people from needing to re-invent the wheel.
Errr... you added a new eclass without pos
Patrick Lauer wrote:
> Signing strategies
> ==
>
> Once there is an agreement on what files to sign with what kind of keys
> there remains the question how to sign it. There are at least three
> strategies:
> [...]
I prefer a semi-secure solution appearing soon rather than waitin
Fernando J. Pereda wrote:
> I'd like people who use Git eclass to test it and see if any of the
> 'features' I introduced break things for them.
I just incorporated much of this into my version (minus some whitespace
changes) and pushed it up. Seems to work fine on my stuff, although the
additiona
27 matches
Mail list logo