Archives
Archives
| From: | "Paweł Hajdan | ||
|---|---|---|---|
| To: | gentoo-dev@l.g.o | ||
| Subject: | Re: [gentoo-dev] integrity of stage files | ||
| Date: | Sat, 08 Oct 2011 23:40:24 | ||
| Message-Id: | 4E90DF3C.8030307@gentoo.org | ||
| In Reply to: | Re: [gentoo-dev] integrity of stage files by "Robin H. Johnson" |
||
| 1 | On 10/8/11 3:43 PM, Robin H. Johnson wrote: |
| 2 | >> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we |
| 3 | >> be using something stronger? |
| 4 | > Fixed in Catalyst now. |
| 5 | > http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe |
| 6 | > So when the stagebuilders update their Catalyst, they will be generated |
| 7 | > with newer hashes. |
| 8 | |
| 9 | Thank you for a quick reaction, but maybe in one aspect it was too |
| 10 | quick: |
| 11 | <http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=5> |
| 12 | tells people to use md5sum, and the patch above _removes_ md5 sum, which |
| 13 | means the Handbook instructions now won't work. |
| 14 | |
| 15 | Suggested course of action: |
| 16 | |
| 17 | 1. Please re-add md5 sum. |
| 18 | 2. File a bug to modify the handbook to verify sha sum instead. |
| 19 | 3. Then remove the checksum. |
| 20 | |
| 21 | >> 2. I noticed the checksums are signed (.asc files). With what key are |
| 22 | >> they signed? How is that key handled, and how to ensure people use the |
| 23 | >> right key when verifying the signature? |
| 24 | > Documented here: |
| 25 | > http://www.gentoo.org/proj/en/releng/ |
| 26 | |
| 27 | Ah, I just forgot about that page. Okay, so can we also update the |
| 28 | Handbook to include GPG signature checking? |
| File name | MIME type |
|---|---|
| signature.asc | application/pgp-signature |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] integrity of stage files | "Robin H. Johnson" <robbat2@g.o> |