>>>>> On Tue, 06 Oct 2020, Michał Górny wrote:

> On Tue, 2020-10-06 at 13:34 +0200, Ulrich Mueller wrote:
>> > > > > > On Tue, 06 Oct 2020, Michał Górny wrote:
>> > On Tue, 2020-10-06 at 13:18 +0200, Ulrich Mueller wrote:
>> > > > > > > > On Tue, 06 Oct 2020, Michał Górny wrote:
>> > > > +IUSE="+verify-sig"
>> > > 
>> > > At least don't enable this by default. The feature increases
>> > > build time and has little (if any) benefits.
>> > Do you have any numbers to back this claim?
>> 
>> That's a strange question. Obviously build time can only increase if
>> you install an additional dependency and download an additional
>> distfile.

> But how significant is the increase? Can you actually measure it
> without trying hard to make things slow?

IMHO it has no benefit at all for users, because distfile integrity is
already guaranteed by digests. So this is a second and redundant method.
On the other hand, it causes download of additional distfiles which may
not be wanted by most users.

> If you are going to claim that it outweighs the 'little' benefit, you
> need to try harder than that.

No. You are the one who wants to introduce a new feature, so it's up to
you to motivate why (and how) adding a redundant method of distfile
verification would make things more secure on the users' side.

It is one thing to have this as a convenience eclass for developers
(though I still think it's over-engineered), but another thing to make
it the default for all users.

Ulrich

Reply via email to