1 |
On Sat, Oct 08, 2011 at 02:45:02PM -0700, "Paweł Hajdan, Jr." wrote: |
2 |
> I checked |
3 |
> <http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=5> |
4 |
> and the Handbook only mentions validating MD5 checksums. |
5 |
> |
6 |
> There are two possible issues: |
7 |
> |
8 |
> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we |
9 |
> be using something stronger? |
10 |
Fixed in Catalyst now. |
11 |
http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe |
12 |
So when the stagebuilders update their Catalyst, they will be generated |
13 |
with newer hashes. |
14 |
|
15 |
> 2. I noticed the checksums are signed (.asc files). With what key are |
16 |
> they signed? How is that key handled, and how to ensure people use the |
17 |
> right key when verifying the signature? |
18 |
Documented here: |
19 |
http://www.gentoo.org/proj/en/releng/ |
20 |
|
21 |
Relevant to this discussion: |
22 |
The weekly builds are signed with: |
23 |
key 2D182910 RSA 4096-bit, generated 2009/08/25 |
24 |
Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@g.o> |
25 |
|
26 |
It's located in the pipeline that collects stages and isos for publication. |
27 |
|
28 |
The non-weekly releases (eg 11.2) have a separate key |
29 |
key 17072058, DSA 1024-bit, generated 2004/07/20 |
30 |
Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@g.o> |
31 |
|
32 |
-- |
33 |
Robin Hugh Johnson |
34 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
35 |
E-Mail : robbat2@g.o |
36 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |