| 1 |
Hi, |
| 2 |
|
| 3 |
I think the main problems would be: |
| 4 |
|
| 5 |
-how do the gentoo developer trust each other |
| 6 |
(-> personal meeting?) |
| 7 |
|
| 8 |
-how do the gentoo developer sign a package? do they sign only |
| 9 |
the ebuilds? if they sign the tarballs how do they check the |
| 10 |
correctness of the tarballs? do they check md5sums here? then |
| 11 |
this 'security' would be as secure as md5. |
| 12 |
|
| 13 |
There are not many gpg-signed packages around, and if they are |
| 14 |
signed who knows that the key belongs to the author and that |
| 15 |
you can trust the author? |
| 16 |
|
| 17 |
I think a web of trust between the gentoo developers is a start, |
| 18 |
but what we really need is a web of trust between package developers |
| 19 |
and users, the gentoo developers should try to make a web of trust |
| 20 |
between them and package developers. |
| 21 |
|
| 22 |
In the end the gentoo developers should only check the signed tarballs |
| 23 |
(which are signed by the package developers) and if they are ok they |
| 24 |
can put the packages into gentoo. |
| 25 |
The users have only to trust one of the gentoo developers (maybe on |
| 26 |
a tradeshow or something similar where is a gentoo booth). |
| 27 |
|
| 28 |
Hannes Mehnert |
| 29 |
|
| 30 |
GPG-Fingerprint: B3BB E539 F6BF 6942 1492 3ACF 45CB 8D97 3881 8D1C |
Archives