Gentoo Archives: gentoo-dev

From:	Torsten Veller <ml-en@××××××.net>
To:	gentoo-dev@l.g.o
Subject:	[gentoo-dev] Individual developer signing
Date:	Thu, 03 Dec 2009 12:12:48
Message-Id:	`20091203103242.GA6316@veller.net`
In Reply to:	Re: [gentoo-dev] GPG Infrastructure for Gentoo (Was Council Meeting) by "Robin H. Johnson"

1	* "Robin H. Johnson" <robbat2@g.o>:
2	> The GLEP on Individual developer signing has not made it into a Draft
3	> yet.
4	>
5	> But you can view the very brief version here:
6	> http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security?view=markup
7
8	[...]
9
10	> > 2. Every developer signs everything 100% of the time (make it a QA
11	> > check).
12	> +1 on this.
13
14	In the GLEPs i missed the point where the signatures of Manifests are verified.
15	Only the MetaManifest gets verified.
16
17	So what's the advantage of individually signed Manifests?
18
19	The only thing we can check: Is the key used for signing listed in ldap
20	(and thus in "the keyring of automated Gentoo keys")? Are the keys in ldap
21	really mine?
22
23	Do I miss anything?
24
25
26	BTW: About a third of the Manifests are signed [1]. We didn't improve
27	since 2005/2006 [2]. The two parties are working hard against each other [3].
28	55 Manifests are signed by revoked keys [4].
29
30	[1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png
31	[2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png
32	[3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png
33	[4] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/signatures_by_revoked_keys.txt

Subject	Author
Re: [gentoo-dev] Individual developer signing	Thilo Bangert <bangert@g.o>
Re: [gentoo-dev] Individual developer signing	"Robin H. Johnson" <robbat2@g.o>