Hello, I would like to propose a new attempt at Manifest signatures. Instead of using a single per-Manifest signature, we would keep separate signatures for each of the files, as an additional (optional) hash type.
Motivation ---------- The current signing approach gives all the responsibility for Manifest signature to the developer who committed last update to the ebuild directory regardless of the actual commit significance. Consider the following: Dev A is the primary package maintainer. He/she reviewed all the ebuilds and committed a signed Manifest. Then Dev B performs a slight cleanup of the ebuild directory. He/she modifies metadata.xml a little and/or removes an old ebuild. The actual ebuilds weren't modified -- yet Dev B has to sign all of them once again. Moreover, if Dev B doesn't use Manifest signing, the signature from Dev A is lost. The solution ------------ As a solution for this I suggest making the GPG signatures per-file, simply creating an additional hash type for them. For example, a single Manifest line would look like: EBUILD foo-1.ebuild 1000 RMD160 ... SHA1 ... SHA256 ... GPG ... Where the GPG signature will be an explicit signature done by the dev modifying (or reviewing) a particular file. Then, if another dev modifies a single file, the signatures for other files would be untouched. Potential issues ---------------- This signing model does not provide a mechanism for signing file removals. In other words, if a dev does remove files only, he/she won't leave any signature changes at all. If there's a reason to do that, we can consider using a complete Manifest file signature in parallel. -- Best regards, Michał Górny
signature.asc
Description: PGP signature
