1 |
On Sat, Oct 08, 2011 at 04:39:40PM -0700, "Paweł Hajdan, Jr." wrote: |
2 |
> On 10/8/11 3:43 PM, Robin H. Johnson wrote: |
3 |
> >> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we |
4 |
> >> be using something stronger? |
5 |
> > Fixed in Catalyst now. |
6 |
> > http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe |
7 |
> > So when the stagebuilders update their Catalyst, they will be generated |
8 |
> > with newer hashes. |
9 |
> |
10 |
> Thank you for a quick reaction, but maybe in one aspect it was too |
11 |
> quick: |
12 |
> <http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=5> |
13 |
> tells people to use md5sum, and the patch above _removes_ md5 sum, which |
14 |
> means the Handbook instructions now won't work. |
15 |
> |
16 |
> Suggested course of action: |
17 |
> |
18 |
> 1. Please re-add md5 sum. |
19 |
Done. |
20 |
> 2. File a bug to modify the handbook to verify sha sum instead. |
21 |
https://bugs.gentoo.org/show_bug.cgi?id=386475 |
22 |
|
23 |
> 3. Then remove the checksum. |
24 |
> |
25 |
> >> 2. I noticed the checksums are signed (.asc files). With what key are |
26 |
> >> they signed? How is that key handled, and how to ensure people use the |
27 |
> >> right key when verifying the signature? |
28 |
> > Documented here: |
29 |
> > http://www.gentoo.org/proj/en/releng/ |
30 |
> Ah, I just forgot about that page. Okay, so can we also update the |
31 |
> Handbook to include GPG signature checking? |
32 |
It DOES already mention checking the signature: |
33 |
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=2#doc_chap3 |
34 |
|
35 |
Also opened another bug for correcting keys. |
36 |
https://bugs.gentoo.org/show_bug.cgi?id=386477 |
37 |
|
38 |
-- |
39 |
Robin Hugh Johnson |
40 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
41 |
E-Mail : robbat2@g.o |
42 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |