Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: "W. Trevor King" <wking@...>
Subject: Re: Git braindump: 1 of N: merging & git signing
Date: Fri, 08 Jun 2012 14:08:22 -0400
On Fri, Jun 08, 2012 at 03:40:57PM +0200, Michael Weber wrote:
> I'd suggest to generate an tarball (containing an keyring) to sign by
> an master key (member of trustee/council/..) to be deployed on all
> systems (like it's done on archlinux and debian).
> 
> But the current vulnerability is exporting/importhing these keys to
> pgp.mit.edu et al.

If you just want to check for valid signatures, you can blindly
download the keys from a keyserver.  If you want to verify that those
signing keys belong to Gentoo devs, you'll need a web of trust, just
like any other PGP situation.  The problem is distributing the trust,
not the distributing the keys [1].

If you want a central policy for trusting Gentoo devs, you've already
got an authentication scheme set up to log into the Gentoo servers.
If you trust that scheme, and trust those servers against privilege
escalation and the like, then if a dev can log into the server and
configure their preferred key fingerprint, that seems like a
sufficiently rigorous proof for the Gentoo infra folks to conclude
that the dev in question owns the key in question.

The fact that the Gentoo infra folks might trust the dev's key enough
to publish snapshots signed by that key has no bearing on whether I,
as a non Gentoo dev who knows none of the infra folks, can trust the
key.  I've got to establish my own web of trust to make that happen,
and it's not something that I expect Gentoo to help me with.

[1]:
  http://www.gnupg.org/gph/en/manual.html#AEN533
  http://www.gnupg.org/gph/en/manual.html#AEN554

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
Attachment:
signature.asc (OpenPGP digital signature)
References:
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Brian Harring
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Brian Harring
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- W. Trevor King
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Michael Weber
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Git braindump: 1 of N: merging & git signing
Next by thread:
Re: Git braindump: 1 of N: merging & git signing
Previous by date:
Re: RFC: vcs-snapshot-r1.eclass -- a better eclass for VCS snapshots (and others)
Next by date:
Re: About forcing rebuilds of other packages issue


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.