From: | "Paweł Hajdan | ||
---|---|---|---|
To: | gentoo-dev@l.g.o | ||
Subject: | Re: [gentoo-dev] integrity of stage files | ||
Date: | Sat, 08 Oct 2011 23:40:24 | ||
Message-Id: | 4E90DF3C.8030307@gentoo.org | ||
In Reply to: | Re: [gentoo-dev] integrity of stage files by "Robin H. Johnson" |
1 | On 10/8/11 3:43 PM, Robin H. Johnson wrote: |
2 | >> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we |
3 | >> be using something stronger? |
4 | > Fixed in Catalyst now. |
5 | > http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe |
6 | > So when the stagebuilders update their Catalyst, they will be generated |
7 | > with newer hashes. |
8 | |
9 | Thank you for a quick reaction, but maybe in one aspect it was too |
10 | quick: |
11 | <http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=5> |
12 | tells people to use md5sum, and the patch above _removes_ md5 sum, which |
13 | means the Handbook instructions now won't work. |
14 | |
15 | Suggested course of action: |
16 | |
17 | 1. Please re-add md5 sum. |
18 | 2. File a bug to modify the handbook to verify sha sum instead. |
19 | 3. Then remove the checksum. |
20 | |
21 | >> 2. I noticed the checksums are signed (.asc files). With what key are |
22 | >> they signed? How is that key handled, and how to ensure people use the |
23 | >> right key when verifying the signature? |
24 | > Documented here: |
25 | > http://www.gentoo.org/proj/en/releng/ |
26 | |
27 | Ah, I just forgot about that page. Okay, so can we also update the |
28 | Handbook to include GPG signature checking? |
File name | MIME type |
---|---|
signature.asc | application/pgp-signature |
Subject | Author |
---|---|
Re: [gentoo-dev] integrity of stage files | "Robin H. Johnson" <robbat2@g.o> |