Gentoo Archives: gentoo-dev

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] integrity of stage files
Date: Sun, 09 Oct 2011 00:02:51
Message-Id: robbat2-20111008T235956-544114453Z@orbis-terrarum.net
In Reply to: Re: [gentoo-dev] integrity of stage files by "Paweł Hajdan
1 On Sat, Oct 08, 2011 at 04:39:40PM -0700, "Paweł Hajdan, Jr." wrote:
2 > On 10/8/11 3:43 PM, Robin H. Johnson wrote:
3 > >> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we
4 > >> be using something stronger?
5 > > Fixed in Catalyst now.
6 > > http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe
7 > > So when the stagebuilders update their Catalyst, they will be generated
8 > > with newer hashes.
9 >
10 > Thank you for a quick reaction, but maybe in one aspect it was too
11 > quick:
12 > <http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=5>
13 > tells people to use md5sum, and the patch above _removes_ md5 sum, which
14 > means the Handbook instructions now won't work.
15 >
16 > Suggested course of action:
17 >
18 > 1. Please re-add md5 sum.
19 Done.
20 > 2. File a bug to modify the handbook to verify sha sum instead.
21 https://bugs.gentoo.org/show_bug.cgi?id=386475
22
23 > 3. Then remove the checksum.
24 >
25 > >> 2. I noticed the checksums are signed (.asc files). With what key are
26 > >> they signed? How is that key handled, and how to ensure people use the
27 > >> right key when verifying the signature?
28 > > Documented here:
29 > > http://www.gentoo.org/proj/en/releng/
30 > Ah, I just forgot about that page. Okay, so can we also update the
31 > Handbook to include GPG signature checking?
32 It DOES already mention checking the signature:
33 http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=2#doc_chap3
34
35 Also opened another bug for correcting keys.
36 https://bugs.gentoo.org/show_bug.cgi?id=386477
37
38 --
39 Robin Hugh Johnson
40 Gentoo Linux: Developer, Trustee & Infrastructure Lead
41 E-Mail : robbat2@g.o
42 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85

Replies

Subject Author
Re: [gentoo-dev] integrity of stage files "Paweł Hajdan