Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
On Sat, Oct 08, 2011 at 02:45:02PM -0700, "Paweł Hajdan, Jr." wrote:
> I checked
> <http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=5>
> and the Handbook only mentions validating MD5 checksums.
>
> There are two possible issues:
>
> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we
> be using something stronger?
Fixed in Catalyst now.
http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe
So when the stagebuilders update their Catalyst, they will be generated
with newer hashes.
> 2. I noticed the checksums are signed (.asc files). With what key are
> they signed? How is that key handled, and how to ensure people use the
> right key when verifying the signature?
Documented here:
http://www.gentoo.org/proj/en/releng/
Relevant to this discussion:
The weekly builds are signed with:
key 2D182910 RSA 4096-bit, generated 2009/08/25
Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@g.o>
It's located in the pipeline that collects stages and isos for publication.
The non-weekly releases (eg 11.2) have a separate key
key 17072058, DSA 1024-bit, generated 2004/07/20
Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@g.o>
--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2@g.o
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
|
|
