1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
On 06/08/2012 01:36 PM, Rich Freeman wrote: |
5 |
|
6 |
> I doubt any dev checks the signatures on manifest files before |
7 |
> they overwrite them with a new signature. If they did it wouldn't |
8 |
> matter since those signatures aren't even mandatory anyway. |
9 |
> Certainly it isn't intuitive to me that when I perform a signature |
10 |
> on changes I make that I'm also vouching for work committed by |
11 |
> somebody else before me. |
12 |
|
13 |
I'm trying to do this, |
14 |
|
15 |
but first we need an keyring with all dev gpg keys - securely |
16 |
distributed - to verify the signatures. |
17 |
|
18 |
We (amost all) have gentoogpg key-ids in ldap, most have fingerprints |
19 |
in gentoofingerprint in ldap, but we have to download these keys from |
20 |
public keyservers. And its not mandatory to either sign at all or sign |
21 |
with keys mentioned in ldap. |
22 |
|
23 |
Someone pointed me on tove's list of gpg keys used for signing [1]. |
24 |
|
25 |
I'd suggest to generate an tarball (containing an keyring) to sign by |
26 |
an master key (member of trustee/council/..) to be deployed on all |
27 |
systems (like it's done on archlinux and debian). |
28 |
|
29 |
But the current vulnerability is exporting/importhing these keys to |
30 |
pgp.mit.edu et al. |
31 |
|
32 |
Suggestions? |
33 |
|
34 |
Michael |
35 |
|
36 |
[1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/keys_in_use.txt |
37 |
|
38 |
- -- |
39 |
Gentoo Dev |
40 |
http://xmw.de/ |
41 |
-----BEGIN PGP SIGNATURE----- |
42 |
Version: GnuPG v2.0.17 (GNU/Linux) |
43 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
44 |
|
45 |
iF4EAREIAAYFAk/SAOkACgkQknrdDGLu8JBWywD/e4kT9jUt3CFFMZgMla14zdwT |
46 |
dmZZs4R5to9CikKAFqwA/1dcXV9/8H/qrW0q8yO7pEIdCdr8RD2d0mochceEeyxd |
47 |
=+k9D |
48 |
-----END PGP SIGNATURE----- |