1 |
Hi, |
2 |
|
3 |
I think the main problems would be: |
4 |
|
5 |
-how do the gentoo developer trust each other |
6 |
(-> personal meeting?) |
7 |
|
8 |
-how do the gentoo developer sign a package? do they sign only |
9 |
the ebuilds? if they sign the tarballs how do they check the |
10 |
correctness of the tarballs? do they check md5sums here? then |
11 |
this 'security' would be as secure as md5. |
12 |
|
13 |
There are not many gpg-signed packages around, and if they are |
14 |
signed who knows that the key belongs to the author and that |
15 |
you can trust the author? |
16 |
|
17 |
I think a web of trust between the gentoo developers is a start, |
18 |
but what we really need is a web of trust between package developers |
19 |
and users, the gentoo developers should try to make a web of trust |
20 |
between them and package developers. |
21 |
|
22 |
In the end the gentoo developers should only check the signed tarballs |
23 |
(which are signed by the package developers) and if they are ok they |
24 |
can put the packages into gentoo. |
25 |
The users have only to trust one of the gentoo developers (maybe on |
26 |
a tradeshow or something similar where is a gentoo booth). |
27 |
|
28 |
Hannes Mehnert |
29 |
|
30 |
GPG-Fingerprint: B3BB E539 F6BF 6942 1492 3ACF 45CB 8D97 3881 8D1C |