| 1 |
On Fri, Jun 08, 2012 at 03:40:57PM +0200, Michael Weber wrote: |
| 2 |
> I'd suggest to generate an tarball (containing an keyring) to sign by |
| 3 |
> an master key (member of trustee/council/..) to be deployed on all |
| 4 |
> systems (like it's done on archlinux and debian). |
| 5 |
> |
| 6 |
> But the current vulnerability is exporting/importhing these keys to |
| 7 |
> pgp.mit.edu et al. |
| 8 |
|
| 9 |
If you just want to check for valid signatures, you can blindly |
| 10 |
download the keys from a keyserver. If you want to verify that those |
| 11 |
signing keys belong to Gentoo devs, you'll need a web of trust, just |
| 12 |
like any other PGP situation. The problem is distributing the trust, |
| 13 |
not the distributing the keys [1]. |
| 14 |
|
| 15 |
If you want a central policy for trusting Gentoo devs, you've already |
| 16 |
got an authentication scheme set up to log into the Gentoo servers. |
| 17 |
If you trust that scheme, and trust those servers against privilege |
| 18 |
escalation and the like, then if a dev can log into the server and |
| 19 |
configure their preferred key fingerprint, that seems like a |
| 20 |
sufficiently rigorous proof for the Gentoo infra folks to conclude |
| 21 |
that the dev in question owns the key in question. |
| 22 |
|
| 23 |
The fact that the Gentoo infra folks might trust the dev's key enough |
| 24 |
to publish snapshots signed by that key has no bearing on whether I, |
| 25 |
as a non Gentoo dev who knows none of the infra folks, can trust the |
| 26 |
key. I've got to establish my own web of trust to make that happen, |
| 27 |
and it's not something that I expect Gentoo to help me with. |
| 28 |
|
| 29 |
[1]: |
| 30 |
http://www.gnupg.org/gph/en/manual.html#AEN533 |
| 31 |
http://www.gnupg.org/gph/en/manual.html#AEN554 |
| 32 |
|
| 33 |
-- |
| 34 |
This email may be signed or encrypted with GnuPG (http://www.gnupg.org). |
| 35 |
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy |
Archives