Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: "Paweł Hajdan, Jr." <phajdan.jr@g.o>
Subject: Re: integrity of stage files
Date: Sat, 08 Oct 2011 16:39:40 -0700
On 10/8/11 3:43 PM, Robin H. Johnson wrote:
>> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we
>> be using something stronger?
> Fixed in Catalyst now.
> http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe
> So when the stagebuilders update their Catalyst, they will be generated
> with newer hashes.

Thank you for a quick reaction, but maybe in one aspect it was too
quick:
<http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=5>
tells people to use md5sum, and the patch above _removes_ md5 sum, which
means the Handbook instructions now won't work.

Suggested course of action:

1. Please re-add md5 sum.
2. File a bug to modify the handbook to verify sha sum instead.
3. Then remove the checksum.

>> 2. I noticed the checksums are signed (.asc files). With what key are
>> they signed? How is that key handled, and how to ensure people use the
>> right key when verifying the signature?
> Documented here:
> http://www.gentoo.org/proj/en/releng/

Ah, I just forgot about that page. Okay, so can we also update the
Handbook to include GPG signature checking?

Attachment:
signature.asc (OpenPGP digital signature)
Replies:
Re: integrity of stage files
-- Robin H. Johnson
References:
integrity of stage files
-- Paweł Hajdan, Jr.
Re: integrity of stage files
-- Robin H. Johnson
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: integrity of stage files
Next by thread:
Re: integrity of stage files
Previous by date:
Re: GCC upgrades, FUD and gentoo documentation
Next by date:
Re: integrity of stage files


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.