Bug 64256

Summary:	portage needs more signing
Product:	Portage Development	Reporter:	SpanKY <vapier>
Component:	Conceptual/Abstract Ideas	Assignee:	Portage team <dev-portage>
Status:	RESOLVED LATER
Severity:	enhancement	CC:	basic
Priority:	High	Keywords:	Tracker
Version:	unspecified
Hardware:	All
OS:	All
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	64258, 64259
Bug Blocks:

Description SpanKY gentoo-dev

2004-09-16 06:04:33 UTC

this is just a metabug for portage and signing

i was at a LUG meeting recently and one of the things that came up was how redhat via rpm and gpg signatures can verify a binary on a system all the way back to the original creator

that got me thinking about how portage could use more signing in places; feel free to create more bugs and mark them as blockers in this bug

Comment 1 Björn Michaelsen 2005-07-19 14:23:24 UTC

Comment from a gentoo-user: Yes.
I also think signing should really be pushed more.

Also the documentation for the already implemented features could need
improvement: I set the "gpg"-FEATURE and it complains because portage cant check
the manifests ... for example the man-pages Manifest is signed by a key 4BB5F4CA
that i couldnt find anywhere. Where do I get these keys?

Another thing I really would like to see is checking of signed binaries from a
BINHOST.

Comment 2 Björn Michaelsen 2005-07-19 23:24:13 UTC

Concerning signed binaries: Maybe portage could generate a signature for the
.tbz2 in /var/tmp/portage/package/build-info.

Comment 3 Jason Stubbs (RETIRED) gentoo-dev

2005-07-28 07:24:55 UTC

Putting a hold on feature requests for portage as they are drowning out the 
bugs. Most of these features should be available in the next major version of 
portage. But for the time being, they are just drowning out the major bugs and 
delaying the next version's progress. 
 
Any bugs that contain patches and any bugs for etc-update or dispatch-conf can 
be reopened. Sorry, I'm just not good enough with bugzilla. ;)