Summary: | */*: SCM sources and E*_REPO_URI signatures and mirroring | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | cJ <cJ-gentoo> |
Component: | Current packages | Assignee: | Gentoo Linux bug wranglers <bug-wranglers> |
Status: | RESOLVED INVALID | ||
Severity: | enhancement | CC: | gentoo+bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=913390 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
cJ
2024-04-02 14:52:36 UTC
This sounds good in principle, but it's probably unworkable with the current state of things. People already frequently complain about the size of downloads in Gentoo compared to binary distros. The linux-6.8 tarball for instance is 142MB in my distdir, while a `git clone --bare --depth=1 file:///usr/src/linux/` consumes close to twice that both on disk and network, and that's after mediocre runtime zlib compression. And unless you convince the entire world to switch to Fossil or something, you've created a SHA1 monoculture. In the context of trying to make things *more* secure that seems like a bad idea. I think a system that compares upstream tarballs to SCM and calls out any discrepancies would be of value, though. There's really nobody for me to assign this bug to, so I am closing it. This would be be better handled as a project outside of Bugzilla. |