\summary{2005}{12}{15}

Agenda call: \agoref{gentoo-dev}{0b0ae67d6fa6c4d0363f28a68d0ffc0b}


\agendaitem{Decision on multi-hash for Manifest1}
\index{multi-hash}\index{Manifest}\index{hash!SHA256}\index{hash!SHA1}
\index{hash!RMD160}\index{hash!MD5}\index{ChangeLog}\index{metadata.xml}
\index{Manifest!format 1}

Reference: http://article.gmane.org/gmane.linux.gentoo.devel/33434%
\footnote{Likely \agoref{gentoo-dev}{f97ff5732872ffe44ef05627b7a19cc1}}

There was a bit of hearsay about why the council was asked to review / decide 
on this issue since we were not able to locate any portage developers at the 
time of the meeting... so our decision comes with a slight caveat. Assuming 
the reasons our input was asked for was summarized in the e-mail originally 
sent by \dev{genone}, then we're for what we dubbed option (2.5.1). That is, 
the portage team should go ahead with portage 2.0.54 and include support for 
SHA256 / RMD160 hashes on top of MD5 hashes.  SHA1 should not be included as 
having both SHA256 / SHA1 is pointless.  further more, we hope this is just a 
hold over until Manifest2 is ironed out / approved / implemented / deployed.  
It was also noted that we should probably omit ChangeLog and metadata.xml files 
from the current Manifest schema as digesting them serves no real purpose.


\agendaitem{Portage signing}
\index{portage signing}\index{Manifest!signing}

Shortly after our November meeting, a nice summary\footnote{Likely 
\agoref{gentoo-portage-dev}{1ffa48adfce79105cca532c00533c298}} was posted 
by \dev{robbat2} that covered signing issues from top to bottom. As such, it 
was felt that trying to throw together a GLEP would not be beneficial. Instead 
we will be adding a constant agenda item to future council meetings as to the 
status of portage signing issues to keep the project from slipping into 
obscurity again.