From: | Torsten Veller <ml-en@××××××.net> | ||
---|---|---|---|
To: | gentoo-dev@l.g.o | ||
Subject: | [gentoo-dev] Individual developer signing | ||
Date: | Thu, 03 Dec 2009 12:12:48 | ||
Message-Id: | 20091203103242.GA6316@veller.net | ||
In Reply to: | Re: [gentoo-dev] GPG Infrastructure for Gentoo (Was Council Meeting) by "Robin H. Johnson" |
1 | * "Robin H. Johnson" <robbat2@g.o>: |
2 | > The GLEP on Individual developer signing has not made it into a Draft |
3 | > yet. |
4 | > |
5 | > But you can view the very brief version here: |
6 | > http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security?view=markup |
7 | |
8 | [...] |
9 | |
10 | > > 2. Every developer signs everything 100% of the time (make it a QA |
11 | > > check). |
12 | > +1 on this. |
13 | |
14 | In the GLEPs i missed the point where the signatures of Manifests are verified. |
15 | Only the MetaManifest gets verified. |
16 | |
17 | So what's the advantage of individually signed Manifests? |
18 | |
19 | The only thing we can check: Is the key used for signing listed in ldap |
20 | (and thus in "the keyring of automated Gentoo keys")? Are the keys in ldap |
21 | really mine? |
22 | |
23 | Do I miss anything? |
24 | |
25 | |
26 | BTW: About a third of the Manifests are signed [1]. We didn't improve |
27 | since 2005/2006 [2]. The two parties are working hard against each other [3]. |
28 | 55 Manifests are signed by revoked keys [4]. |
29 | |
30 | [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png |
31 | [2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png |
32 | [3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png |
33 | [4] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/signatures_by_revoked_keys.txt |
Subject | Author |
---|---|
Re: [gentoo-dev] Individual developer signing | Thilo Bangert <bangert@g.o> |
Re: [gentoo-dev] Individual developer signing | "Robin H. Johnson" <robbat2@g.o> |