FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 03-24-2011, 08:59 PM
Mike Frysinger
 
Default rejecting unsigned commits

is there any reason we should allow people to commit unsigned
Manifest's anymore ? generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse for a dev to not have
done this already.

when i look at the tree, the signed stats are stupid low:
$ find *-* -maxdepth 2 -name Manifest | wc -l
14438
$ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP
SIGNATURE' {} + | wc -l
6032

this is especially important for the people doing arch keywording
since they make a ton of commits. i'm looking at you armin76.
-mike
 
Old 03-24-2011, 09:04 PM
Markos Chandras
 
Default rejecting unsigned commits

On Thu, Mar 24, 2011 at 05:59:45PM -0400, Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
>
> when i look at the tree, the signed stats are stupid low:
> $ find *-* -maxdepth 2 -name Manifest | wc -l
> 14438
> $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP
> SIGNATURE' {} + | wc -l
> 6032
>
> this is especially important for the people doing arch keywording
> since they make a ton of commits. i'm looking at you armin76.
> -mike
>
Yes, I recall a similar thread in the past but I can't find it. Whilst I
am always signing my commits I can't really see a good argument on why
we should/should not do it.

Regards,
--
Markos Chandras / Gentoo Linux Developer / Key ID: B4AFF2C2
 
Old 03-24-2011, 09:08 PM
Olivier Crête
 
Default rejecting unsigned commits

On Thu, 2011-03-24 at 17:59 -0400, Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.

I didn't know we still allowed that.. I guess the CVS server should just
reject unsigned Manifests..


--
Olivier Crête
tester@gentoo.org
Gentoo Developer
 
Old 03-24-2011, 09:12 PM
Petteri Räty
 
Default rejecting unsigned commits

On 03/24/2011 11:59 PM, Mike Frysinger wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
>

Also submitting the quizzes require you to have a GPG key. This probably
hasn't been a priority before all the tree can be signed. I think it
would be idea to start preparing for that by requiring people sign as
you said.

Regards,
Petteri
 
Old 03-24-2011, 09:19 PM
Mike Frysinger
 
Default rejecting unsigned commits

http://bugs.gentoo.org/360363
-mike
 
Old 03-24-2011, 09:28 PM
Mike Gilbert
 
Default rejecting unsigned commits

On Thu, Mar 24, 2011 at 5:59 PM, Mike Frysinger <vapier@gentoo.org> wrote:
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? *generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.
>

Is there some plan to make verification of signed Manifests
easy/automatic for end users? Or am I misunderstanding the point of
Manifest signing?
 
Old 03-24-2011, 09:42 PM
Rémi Cardona
 
Default rejecting unsigned commits

Le 24/03/2011 22:59, Mike Frysinger a écrit :
> is there any reason we should allow people to commit unsigned
> Manifest's anymore ? generating/posting/enabling a gpg key is
> ridiculously easy and there's really no excuse for a dev to not have
> done this already.

I, for one, have never signed my Manifests because I've always found
GnuPG to be a major PITA.

With that being said, I do understand the rationale of signing them and
I'll adapt.

However, is there a howto or something explaining how to work
_efficiently_ with GPG? How do I avoid having to type my pass-phrase for
every commit?

Cheers,

Rémi

PS, wasn't manifest-signing supposed to become moot once we moved to git?
 
Old 03-24-2011, 09:47 PM
Diego Elio Pettenò
 
Default rejecting unsigned commits

Il giorno gio, 24/03/2011 alle 23.42 +0100, Rémi Cardona ha scritto:
>
>
> However, is there a howto or something explaining how to work
> _efficiently_ with GPG? How do I avoid having to type my pass-phrase
> for
> every commit?

Setup gpg-agent with a one-week passphrase caching and standard socket,
remove gnome-keyring interface to gpg, and that's about it :P

--
Diego Elio Pettenò — Flameeyes
http://blog.flameeyes.eu/
 
Old 03-24-2011, 10:42 PM
Mike Frysinger
 
Default rejecting unsigned commits

On Thu, Mar 24, 2011 at 6:47 PM, Diego Elio Pettenò wrote:
> Il giorno gio, 24/03/2011 alle 23.42 +0100, Rémi Cardona ha scritto:
>> However, is there a howto or something explaining how to work
>> _efficiently_ with GPG? How do I avoid having to type my pass-phrase
>> for every commit?
>
> Setup gpg-agent with a one-week passphrase caching and standard socket,
> remove gnome-keyring interface to gpg, and that's about it :P

indeed ... i put "default-cache-ttl 999999" into my ~/.gnupg/gpg-agent.conf

as for gpg-agent itself, if you use net-misc/keychain, it takes care
of launching gpg-agent if it's installed
-mike
 
Old 03-24-2011, 10:46 PM
Mike Frysinger
 
Default rejecting unsigned commits

On Thu, Mar 24, 2011 at 6:28 PM, Mike Gilbert wrote:
> Is there some plan to make verification of signed Manifests easy/automatic for end users?

the end goal is for it to be transparent when it works. emerge itself
would check things as part of its digest verification.

as to the current state of emerge's support, i dont know. be nice if
Zac showed up to SCALE so we could sign keys .
-mike
 

Thread Tools




All times are GMT. The time now is 03:00 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org