Portage should verify the integrity of the signatures after syncing.
See http://mikegerwitz.com/docs/git-horror-story.html#_enforcing_trust for information on how this could be implemented.
We should probably have PMS specify how this is supposed to work.
Isn't this just what GLEPs 57 to 61 (especially 58) try to achieve?
When asked about my thoughts on MetaManifest recently, it occurred to me that categorizing files into different types adds unnecessary complexity. The only type that absolutely needs special treatment is DIST files, since they are out-of-tree. For in-tree files, it's only essential to have a list of files and digests. Otherwise, the only motivation to categorize files would be to declare an "allow missing" attribute on some files, so that the tree can still be verified if people want to selectively prune/filter files from it. However, we have to decide whether the ability to prune/filter files is worth the added complexity.
This is specified in GLEP 74, therefore outside of PMS's scope. *** This bug has been marked as a duplicate of bug 636750 ***