| 1 |
On Sun, 4 Aug 2002 18:55:31 +0200 |
| 2 |
Spider <spider@g.o> wrote: |
| 3 |
|
| 4 |
> Well, I was browsing around the other day checking into the "behind the |
| 5 |
> scenes" work of gnupg and keyservers when I stumbled on this link.. |
| 6 |
> |
| 7 |
> |
| 8 |
> http://www.cryptnet.net/fdp/crypto/strong_distro.html |
| 9 |
> |
| 10 |
|
| 11 |
I actually created a small program that would use GPG and could |
| 12 |
easily integrate into portage. I'm pretty sure I posted it here |
| 13 |
awhile ago... (I attached it again) |
| 14 |
|
| 15 |
What would happen is that there would be a master key ring (drobbins?) that would |
| 16 |
sign all of the other developer's public keys. All these keys (and signatures) would be |
| 17 |
attached to a keyring in /usr/portage/profiles/gentoo-keys.gpg. The developers - in turn - |
| 18 |
would sign the ebuilds and/or the source packages. When portage is ran, the logic within |
| 19 |
would verify the detached signature created by by the developer, compare it with the master |
| 20 |
Gentoo key and install accordingly. |
| 21 |
|
| 22 |
The source I've included is just a simple program that does all the functionality I think |
| 23 |
we need it to do. |
| 24 |
|
| 25 |
Regarding breaking compatibility - the files/ directory could have a digest-blah.gpg and a |
| 26 |
variable in /etc/make.conf AUTH_METHOD=GPG,MD5 as an example. |
| 27 |
|
| 28 |
Regarding enforcing 'minimum developer effort", I think repoman is perfect for the job. |
| 29 |
|
| 30 |
As for a keyring - all a developer has to do is create their own key, and verify the |
| 31 |
fingerprint with someone... Doing a three way phone call would work - one person is someone |
| 32 |
we all trust, the other person is there to verify the fingerprint (as is the first person), |
| 33 |
and the last person is the person being added to the keyring... A simple challenge and response... |
| 34 |
|
| 35 |
Regards, |
| 36 |
Ryan |
Archives