On Sun, 27 Mar 2011 17:04:56 -0500
Jeremy Olexa wrote:
> > this is especially important for the people doing arch keywording
> > since they make a ton of commits. i'm looking at you armin76.
>
> One thing I don't get amidst this whole conversation is why I should
> sign a Manifest file when
On 03/24/2011 04:59 PM, Mike Frysinger wrote:
this is especially important for the people doing arch keywording
since they make a ton of commits. i'm looking at you armin76.
One thing I don't get amidst this whole conversation is why I should
sign a Manifest file when committing KEYWORDS or
On 2011-03-25 1:59 PM, Dane Smith wrote:
> Having said that, for those that just use "keys" for e-mails (most of
> us), it would make more sense to use full blow SSL certs in the long run.
Please no. PKI is a naive design and for all intents and purposes will
remain a pipe-dream. All security re
> i dont expect the rejection to go into effect $now, so people not
> signing have plenty of time to start doing so
Is the additional effort of implementing this for CVS with the current
two-stage commit even worth it?
I.e. would it not make more sense to wait _with the automated rejection_ unti
On Fri, Mar 25, 2011 at 6:11 AM, Peter Volkov wrote:
> В Чтв, 24/03/2011 в 17:59 -0400, Mike Frysinger пишет:
>> is there any reason we should allow people to commit unsigned
>> Manifest's anymore ?
>
> Why? Without policy on how we do that and more importantly how we check
> that signing makes no
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/25/2011 11:04 AM, "Paweł Hajdan, Jr." wrote:
> On 3/25/11 3:43 PM, Michał Górny wrote:
>> How about Gentoo Foundation funding devs a full blown X509 client
>> certs?
>
> Let's get signing and verifying working first, and then consider
> anything
On 3/25/11 3:43 PM, Michał Górny wrote:
> How about Gentoo Foundation funding devs a full blown X509 client
> certs?
Let's get signing and verifying working first, and then consider
anything that requires funding.
signature.asc
Description: OpenPGP digital signature
> > Having said that, for those that just use "keys" for e-mails (most of
> > us), it would make more sense to use full blow SSL certs in the long
> > run. (Mathematically, same thing. But a cert needs to be signed by a
> > CA, and we should ideally maintain a Gentoo CA.) I need to get up to
> > sp
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 25 Mar 2011 07:59:49 -0400
Dane Smith wrote:
> Having said that, for those that just use "keys" for e-mails (most of
> us), it would make more sense to use full blow SSL certs in the long
> run. (Mathematically, same thing. But a cert needs t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/25/2011 07:55 AM, "Paweł Hajdan, Jr." wrote:
> On 3/24/11 10:59 PM, Mike Frysinger wrote:
>> is there any reason we should allow people to commit unsigned
>> Manifest's anymore ? generating/posting/enabling a gpg key is
>> ridiculously easy and
On 3/24/11 10:59 PM, Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
Firstly, I'm excited we're moving
On Friday 25 March 2011 11:11:12 Peter Volkov wrote:
> В Чтв, 24/03/2011 в 17:59 -0400, Mike Frysinger пишет:
> > is there any reason we should allow people to commit unsigned
> > Manifest's anymore ?
>
> Why? Without policy on how we do that and more importantly how we check
> that signing makes
В Чтв, 24/03/2011 в 17:59 -0400, Mike Frysinger пишет:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ?
Why? Without policy on how we do that and more importantly how we check
that signing makes no sense...
--
Peter.
On Thu, Mar 24, 2011 at 8:21 PM, Brian Harring wrote:
> On Thu, Mar 24, 2011 at 06:08:53PM -0400, Olivier Crête wrote:
>> On Thu, 2011-03-24 at 17:59 -0400, Mike Frysinger wrote:
>> > is there any reason we should allow people to commit unsigned
>> > Manifest's anymore ? generating/posting/enablin
On Thu, Mar 24, 2011 at 06:08:53PM -0400, Olivier Crête wrote:
> On Thu, 2011-03-24 at 17:59 -0400, Mike Frysinger wrote:
> > is there any reason we should allow people to commit unsigned
> > Manifest's anymore ? generating/posting/enabling a gpg key is
> > ridiculously easy and there's really no
On Thu, Mar 24, 2011 at 8:09 PM, Antoni Grzymala wrote:
> Jeroen Roovers dixit (2011-03-25, 00:50):
>> On Thu, 24 Mar 2011 17:59:45 -0400 Mike Frysinger wrote:
>> > is there any reason we should allow people to commit unsigned
>> > Manifest's anymore ?
>>
>> Funny that. I only started doing that Ye
Jeroen Roovers dixit (2011-03-25, 00:50):
> On Thu, 24 Mar 2011 17:59:45 -0400
> Mike Frysinger wrote:
>
> > is there any reason we should allow people to commit unsigned
> > Manifest's anymore ?
>
> Funny that. I only started doing that Yesterday. It had been on my TODO
> for a couple of yea
On Thu, Mar 24, 2011 at 6:42 PM, Rémi Cardona wrote:
> PS, wasn't manifest-signing supposed to become moot once we moved to git?
not in the least. git only provides SHA1 which is not
cryptographically strong, and we will still be mirroring only the
latest checkout via rsync. the hashs in git req
On Thu, 24 Mar 2011 17:59:45 -0400
Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ?
Funny that. I only started doing that Yesterday. It had been on my TODO
for a couple of years. :)
jer
On Thu, Mar 24, 2011 at 6:28 PM, Mike Gilbert wrote:
> Is there some plan to make verification of signed Manifests easy/automatic
> for end users?
the end goal is for it to be transparent when it works. emerge itself
would check things as part of its digest verification.
as to the current state
Le 24/03/2011 22:59, Mike Frysinger a écrit :
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
I, for one, have never signed m
On Thu, Mar 24, 2011 at 5:59 PM, Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
>
Is there some plan
On 03/24/2011 11:59 PM, Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
>
Also submitting the quizzes
On Thu, 2011-03-24 at 17:59 -0400, Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
I didn't know we sti
On Thu, Mar 24, 2011 at 05:59:45PM -0400, Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
>
> when i lo
is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse for a dev to not have
done this already.
when i look at the tree, the signed stats are stupid low:
$ find *-* -maxdepth 2 -nam
26 matches
Mail list logo
