On 11/28/24 5:35 AM, Ulrich Müller wrote: >>>>>> On Wed, 27 Nov 2024, Eli Schwartz wrote: > >> --- /dev/null >> +++ b/eclass/sec-keys.eclass >> @@ -0,0 +1,150 @@ >> +# Copyright 2024 Gentoo Authors >> +# Distributed under the terms of the GNU General Public License v2 >> + >> +# @ECLASS: sec-keys.eclass >> +# @MAINTAINER: >> +# Eli Schwartz <eschwa...@gentoo.org> >> +# @AUTHOR: >> +# Eli Schwartz <eschwa...@gentoo.org> >> +# @SUPPORTED_EAPIS: 8 >> +# @BLURB: Provides a uniform way of handling ebuilds which package PGP key >> material >> +# @DESCRIPTION: >> +# This eclass provides a streamlined approach to finding suitable source >> material >> +# for OpenPGP keys used by the verify-sig eclass. Its primary purpose is to >> permit >> +# developers to easily and securely package new sec-keys/* packages. The >> eclass >> +# removes the risk of developers accidentally packaging malformed key >> material, or >> +# neglecting to notice when PGP identities have changed. >> +# >> +# To use the eclass, define SEC_KEYS_VALIDPGPKEYS to contain the >> fingerprint of >> +# the key and the short name of the key's owner. > > Please wrap these comment lines to a line length of 70-ish characters > for readability. > > Also, there should be two spaces after every full stop (except when it's > followed by a newline), so groff can recognise the sentence end in the > generated man page.
I usually do 80-ish for readability! Okay, I can do 70 too. :) Thanks for the tip about the spaces, I don't usually write groff by hand. Surprising that groff cannot handle this automatically, though. >> +_sec_keys_set_globals() { >> + if [[ ${SEC_KEYS_VALIDPGPKEYS[*]} ]]; then > > Why is the if needed? If the array is empty, the following for loop > won't execute. Not sure, perhaps an artifact of a previous revision that had different handling. Let's remove it. >> + printf '%s\n' "${imported_keys[@]}" | sort > imported_keys.list || die >> + printf '%s\n' "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}" | sort > >> allowed_keys.list || die > > Maybe create these files in ${T} instead? I'm not sure this is an important distinction. It's the main thing the package works on. I could put GNUPGHOME in ${T} as well, if you like? :) But keeping it in ${WORKDIR} makes it more straightforward for people to look at manually when a failed build happens. And that's important when dealing with the primary logic of a package (there's no source code to compile here). -- Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature