1 |
On Sun, 4 Aug 2002 18:55:31 +0200 |
2 |
Spider <spider@g.o> wrote: |
3 |
|
4 |
> Well, I was browsing around the other day checking into the "behind the |
5 |
> scenes" work of gnupg and keyservers when I stumbled on this link.. |
6 |
> |
7 |
> |
8 |
> http://www.cryptnet.net/fdp/crypto/strong_distro.html |
9 |
> |
10 |
|
11 |
I actually created a small program that would use GPG and could |
12 |
easily integrate into portage. I'm pretty sure I posted it here |
13 |
awhile ago... (I attached it again) |
14 |
|
15 |
What would happen is that there would be a master key ring (drobbins?) that would |
16 |
sign all of the other developer's public keys. All these keys (and signatures) would be |
17 |
attached to a keyring in /usr/portage/profiles/gentoo-keys.gpg. The developers - in turn - |
18 |
would sign the ebuilds and/or the source packages. When portage is ran, the logic within |
19 |
would verify the detached signature created by by the developer, compare it with the master |
20 |
Gentoo key and install accordingly. |
21 |
|
22 |
The source I've included is just a simple program that does all the functionality I think |
23 |
we need it to do. |
24 |
|
25 |
Regarding breaking compatibility - the files/ directory could have a digest-blah.gpg and a |
26 |
variable in /etc/make.conf AUTH_METHOD=GPG,MD5 as an example. |
27 |
|
28 |
Regarding enforcing 'minimum developer effort", I think repoman is perfect for the job. |
29 |
|
30 |
As for a keyring - all a developer has to do is create their own key, and verify the |
31 |
fingerprint with someone... Doing a three way phone call would work - one person is someone |
32 |
we all trust, the other person is there to verify the fingerprint (as is the first person), |
33 |
and the last person is the person being added to the keyring... A simple challenge and response... |
34 |
|
35 |
Regards, |
36 |
Ryan |