1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 03/25/2011 07:55 AM, "Paweł Hajdan, Jr." wrote: |
5 |
> On 3/24/11 10:59 PM, Mike Frysinger wrote: |
6 |
>> is there any reason we should allow people to commit unsigned |
7 |
>> Manifest's anymore ? generating/posting/enabling a gpg key is |
8 |
>> ridiculously easy and there's really no excuse for a dev to not have |
9 |
>> done this already. |
10 |
> |
11 |
> Firstly, I'm excited we're moving towards a signed portage tree. |
12 |
> |
13 |
> We can start with a repoman warning (yellow) and a transition period. |
14 |
> |
15 |
>> when i look at the tree, the signed stats are stupid low: |
16 |
>> $ find *-* -maxdepth 2 -name Manifest | wc -l |
17 |
>> 14438 |
18 |
>> $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP |
19 |
>> SIGNATURE' {} + | wc -l |
20 |
>> 6032 |
21 |
> |
22 |
> If I'm interpreting the data correctly, about 43% of Manifest files are |
23 |
> signed. That's not too bad, I was expecting something more like 5%. |
24 |
> |
25 |
> By the way, is it acceptable to use the same GPG key for e-mail and |
26 |
> signing packages? |
27 |
|
28 |
Yes. In fact, I'd recommend it. Saves having to try to keep track of 2 |
29 |
keys / dev. |
30 |
|
31 |
Having said that, for those that just use "keys" for e-mails (most of |
32 |
us), it would make more sense to use full blow SSL certs in the long run. |
33 |
(Mathematically, same thing. But a cert needs to be signed by a CA, and |
34 |
we should ideally maintain a Gentoo CA.) I need to get up to speed with |
35 |
the GLEP's pertaining to this. Let's just say I have a fair bit of |
36 |
experience in this field. I may be able to offer some ideas / |
37 |
suggestions. I would very much like to see this happen. |
38 |
|
39 |
But for the meantime, yes, it's safe. |
40 |
|
41 |
- -- |
42 |
Dane Smith (c1pher) |
43 |
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86 |
44 |
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index |
45 |
-----BEGIN PGP SIGNATURE----- |
46 |
Version: GnuPG v2.0.17 (GNU/Linux) |
47 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
48 |
|
49 |
iQIcBAEBAgAGBQJNjIO0AAoJEEsurZwMLhUxlsIP/2oaWnkWr160fj8027WA3Jbe |
50 |
oI5dXXvZr2RDMxFXKcyx0qiTfVlhVClJIBn8wANf41uKmMh6azIN5Ug4cDk++0ku |
51 |
qYXvIne4W65TCifU44h80AAOEVBLQwN+d2VCeq7/qu6qJp9PT1SIzCaZZCtRAvOK |
52 |
NwH5ZuUTrcewa/SbADIwP2hbQiLs8m241XJNNWGcIgflbO0OhcvUPlLM6/fUS56X |
53 |
364EUGDo/TAAtkrIhWKKD2xsRoPmmO2uE7euPNhI4pFGUbKXVtb5Lb/qY9iLDgYy |
54 |
PciHr2yFwOY1P16hr51Dbo8b5rPAncIHJFBUBHd89OnZHCwkBUP1z7l1J13NfClw |
55 |
/hoYQe0DO/CrWz2pKF4I3pxP1MnULKKB2ib8RFswCJY2mxKvGeGJoQyZpT/GtCGb |
56 |
vN8o20Kd3Ci+CEpeIo3sqxt04kNoMvMLEq9ZJ++a8c0wijX63ChRL5/+qRxzGDtc |
57 |
I9pN34RDuAuUck0Wp+R/TTG4Bjh5ixQkeh199NoqjNLA02rE0QVElm7PlIJxg36/ |
58 |
pp101gH68H0t6EGAFrnGHAG6w/8yAz+Mcm+4WLjpDAPSMXYahZXOCKFn9WV0WgBS |
59 |
e0EG2xr8BD7SqUrZRSlxjGsbFVCVaGvS9qFO4e2B4dKPy1mjwcTdBQRGZOfd3kGM |
60 |
WDV73IcPr2K9cQFJD+Te |
61 |
=yiPl |
62 |
-----END PGP SIGNATURE----- |