On Tue, 2020-10-06 at 14:06 +0200, Ulrich Mueller wrote: > > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: > > On Tue, 2020-10-06 at 13:34 +0200, Ulrich Mueller wrote: > > > > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: > > > > On Tue, 2020-10-06 at 13:18 +0200, Ulrich Mueller wrote: > > > > > > > > > > On Tue, 06 Oct 2020, Michał Górny wrote: > > > > > > +IUSE="+verify-sig" > > > > > > > > > > At least don't enable this by default. The feature increases > > > > > build time and has little (if any) benefits. > > > > Do you have any numbers to back this claim? > > > > > > That's a strange question. Obviously build time can only increase if > > > you install an additional dependency and download an additional > > > distfile. > > But how significant is the increase? Can you actually measure it > > without trying hard to make things slow? > > IMHO it has no benefit at all for users, because distfile integrity is > already guaranteed by digests. So this is a second and redundant method. > On the other hand, it causes download of additional distfiles which may > not be wanted by most users. > > > If you are going to claim that it outweighs the 'little' benefit, you > > need to try harder than that. > > No. You are the one who wants to introduce a new feature, so it's up to > you to motivate why (and how) adding a redundant method of distfile > verification would make things more secure on the users' side. >
The eclassdoc answers this question already. Anyway, v2 disables it by default, so your concern should be resolved. -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
