Gentoo Archives: gentoo-dev

From: Michael Weber <xmw@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing
Date: Fri, 08 Jun 2012 13:43:09
Message-Id: 4FD200E9.90907@gentoo.org
In Reply to: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing by Rich Freeman
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA256
3
4 On 06/08/2012 01:36 PM, Rich Freeman wrote:
5
6 > I doubt any dev checks the signatures on manifest files before
7 > they overwrite them with a new signature. If they did it wouldn't
8 > matter since those signatures aren't even mandatory anyway.
9 > Certainly it isn't intuitive to me that when I perform a signature
10 > on changes I make that I'm also vouching for work committed by
11 > somebody else before me.
12
13 I'm trying to do this,
14
15 but first we need an keyring with all dev gpg keys - securely
16 distributed - to verify the signatures.
17
18 We (amost all) have gentoogpg key-ids in ldap, most have fingerprints
19 in gentoofingerprint in ldap, but we have to download these keys from
20 public keyservers. And its not mandatory to either sign at all or sign
21 with keys mentioned in ldap.
22
23 Someone pointed me on tove's list of gpg keys used for signing [1].
24
25 I'd suggest to generate an tarball (containing an keyring) to sign by
26 an master key (member of trustee/council/..) to be deployed on all
27 systems (like it's done on archlinux and debian).
28
29 But the current vulnerability is exporting/importhing these keys to
30 pgp.mit.edu et al.
31
32 Suggestions?
33
34 Michael
35
36 [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/keys_in_use.txt
37
38 - --
39 Gentoo Dev
40 http://xmw.de/
41 -----BEGIN PGP SIGNATURE-----
42 Version: GnuPG v2.0.17 (GNU/Linux)
43 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
44
45 iF4EAREIAAYFAk/SAOkACgkQknrdDGLu8JBWywD/e4kT9jUt3CFFMZgMla14zdwT
46 dmZZs4R5to9CikKAFqwA/1dcXV9/8H/qrW0q8yO7pEIdCdr8RD2d0mochceEeyxd
47 =+k9D
48 -----END PGP SIGNATURE-----

Replies

Subject Author
Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing "W. Trevor King" <wking@×××××××.us>