On Fri, Jun 08, 2012 at 03:40:57PM +0200, Michael Weber wrote:
> I'd suggest to generate an tarball (containing an keyring) to sign by
> an master key (member of trustee/council/..) to be deployed on all
> systems (like it's done on archlinux and debian).
> But the current vulnerability is exporting/importhing these keys to
> pgp.mit.edu et al.
If you just want to check for valid signatures, you can blindly
download the keys from a keyserver. If you want to verify that those
signing keys belong to Gentoo devs, you'll need a web of trust, just
like any other PGP situation. The problem is distributing the trust,
not the distributing the keys .
If you want a central policy for trusting Gentoo devs, you've already
got an authentication scheme set up to log into the Gentoo servers.
If you trust that scheme, and trust those servers against privilege
escalation and the like, then if a dev can log into the server and
configure their preferred key fingerprint, that seems like a
sufficiently rigorous proof for the Gentoo infra folks to conclude
that the dev in question owns the key in question.
The fact that the Gentoo infra folks might trust the dev's key enough
to publish snapshots signed by that key has no bearing on whether I,
as a non Gentoo dev who knows none of the infra folks, can trust the
key. I've got to establish my own web of trust to make that happen,
and it's not something that I expect Gentoo to help me with.
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy