is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse for a dev to not have
done this already.
when i look at the tree, the signed stats are stupid low:
$ find *-* -maxdepth 2 -name Manifest | wc -l
14438
$ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP
SIGNATURE' {} + | wc -l
6032
this is especially important for the people doing arch keywording
since they make a ton of commits. i'm looking at you armin76.
-mike
03-24-2011, 09:04 PM
Markos Chandras
rejecting unsigned commits
On Thu, Mar 24, 2011 at 05:59:45PM -0400, Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
>
> when i look at the tree, the signed stats are stupid low:
> $ find *-* -maxdepth 2 -name Manifest | wc -l
> 14438
> $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP
> SIGNATURE' {} + | wc -l
> 6032
>
> this is especially important for the people doing arch keywording
> since they make a ton of commits. i'm looking at you armin76.
> -mike
>
Yes, I recall a similar thread in the past but I can't find it. Whilst I
am always signing my commits I can't really see a good argument on why
we should/should not do it.
On Thu, 2011-03-24 at 17:59 -0400, Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
I didn't know we still allowed that.. I guess the CVS server should just
reject unsigned Manifests..
On 03/24/2011 11:59 PM, Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
>
Also submitting the quizzes require you to have a GPG key. This probably
hasn't been a priority before all the tree can be signed. I think it
would be idea to start preparing for that by requiring people sign as
you said.
Regards,
Petteri
03-24-2011, 09:19 PM
Mike Frysinger
rejecting unsigned commits
http://bugs.gentoo.org/360363
-mike
03-24-2011, 09:28 PM
Mike Gilbert
rejecting unsigned commits
On Thu, Mar 24, 2011 at 5:59 PM, Mike Frysinger <vapier@gentoo.org> wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? *generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
>
Is there some plan to make verification of signed Manifests
easy/automatic for end users? Or am I misunderstanding the point of
Manifest signing?
03-24-2011, 09:42 PM
Rémi Cardona
rejecting unsigned commits
Le 24/03/2011 22:59, Mike Frysinger a écrit :
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
I, for one, have never signed my Manifests because I've always found
GnuPG to be a major PITA.
With that being said, I do understand the rationale of signing them and
I'll adapt.
However, is there a howto or something explaining how to work
_efficiently_ with GPG? How do I avoid having to type my pass-phrase for
every commit?
Cheers,
Rémi
PS, wasn't manifest-signing supposed to become moot once we moved to git?
Setup gpg-agent with a one-week passphrase caching and standard socket,
remove gnome-keyring interface to gpg, and that's about it :P
--
Diego Elio Pettenò — Flameeyes
http://blog.flameeyes.eu/
03-24-2011, 10:42 PM
Mike Frysinger
rejecting unsigned commits
On Thu, Mar 24, 2011 at 6:47 PM, Diego Elio Pettenò wrote:
> Il giorno gio, 24/03/2011 alle 23.42 +0100, Rémi Cardona ha scritto:
>> However, is there a howto or something explaining how to work
>> _efficiently_ with GPG? How do I avoid having to type my pass-phrase
>> for every commit?
>
> Setup gpg-agent with a one-week passphrase caching and standard socket,
> remove gnome-keyring interface to gpg, and that's about it :P
indeed ... i put "default-cache-ttl 999999" into my ~/.gnupg/gpg-agent.conf
as for gpg-agent itself, if you use net-misc/keychain, it takes care
of launching gpg-agent if it's installed
-mike
03-24-2011, 10:46 PM
Mike Frysinger
rejecting unsigned commits
On Thu, Mar 24, 2011 at 6:28 PM, Mike Gilbert wrote:
> Is there some plan to make verification of signed Manifests easy/automatic for end users?
the end goal is for it to be transparent when it works. emerge itself
would check things as part of its digest verification.
as to the current state of emerge's support, i dont know. be nice if
Zac showed up to SCALE so we could sign keys .
-mike
rejecting unsigned commits
.
