List Archive: gentoo-dev
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Sat, Oct 08, 2011 at 02:45:02PM -0700, "Paweł Hajdan, Jr." wrote:
> I checked
> and the Handbook only mentions validating MD5 checksums.
> There are two possible issues:
> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we
> be using something stronger?
Fixed in Catalyst now.
So when the stagebuilders update their Catalyst, they will be generated
with newer hashes.
> 2. I noticed the checksums are signed (.asc files). With what key are
> they signed? How is that key handled, and how to ensure people use the
> right key when verifying the signature?
Relevant to this discussion:
The weekly builds are signed with:
key 2D182910 RSA 4096-bit, generated 2009/08/25
Gentoo Linux Release Engineering (Automated Weekly Release Key) <firstname.lastname@example.org>
It's located in the pipeline that collects stages and isos for publication.
The non-weekly releases (eg 11.2) have a separate key
key 17072058, DSA 1024-bit, generated 2004/07/20
Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <email@example.com>
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : firstname.lastname@example.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85