Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Michael Weber <xmw@g.o>
Subject: Re: Git braindump: 1 of N: merging & git signing
Date: Fri, 08 Jun 2012 15:40:57 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/08/2012 01:36 PM, Rich Freeman wrote:

> I doubt any dev checks the signatures on manifest files before
> they overwrite them with a new signature.  If they did it wouldn't
> matter since those signatures aren't even mandatory anyway.
> Certainly it isn't intuitive to me that when I perform a signature
> on changes I make that I'm also vouching for work committed by
> somebody else before me.

I'm trying to do this,

but first we need an keyring with all dev gpg keys - securely
distributed - to verify the signatures.

We (amost all) have gentoogpg key-ids in ldap, most have fingerprints
in gentoofingerprint in ldap, but we have to download these keys from
public keyservers. And its not mandatory to either sign at all or sign
with keys mentioned in ldap.

Someone pointed me on tove's list of gpg keys used for signing [1].

I'd suggest to generate an tarball (containing an keyring) to sign by
an master key (member of trustee/council/..) to be deployed on all
systems (like it's done on archlinux and debian).

But the current vulnerability is exporting/importhing these keys to
pgp.mit.edu et al.

Suggestions?

   Michael

[1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/keys_in_use.txt

- --
Gentoo Dev
http://xmw.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk/SAOkACgkQknrdDGLu8JBWywD/e4kT9jUt3CFFMZgMla14zdwT
dmZZs4R5to9CikKAFqwA/1dcXV9/8H/qrW0q8yO7pEIdCdr8RD2d0mochceEeyxd
=+k9D
-----END PGP SIGNATURE-----


Replies:
Re: Git braindump: 1 of N: merging & git signing
-- W. Trevor King
References:
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Dirkjan Ochtman
Re: Git braindump: 1 of N: merging & git signing
-- Brian Harring
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- Brian Harring
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Re: Git braindump: 1 of N: merging & git signing
-- W. Trevor King
Re: Git braindump: 1 of N: merging & git signing
-- Rich Freeman
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Git braindump: 1 of N: merging & git signing
Next by thread:
Re: Git braindump: 1 of N: merging & git signing
Previous by date:
Re: RFC: vcs-snapshot-r1.eclass -- a better eclass for VCS snapshots (and others)
Next by date:
Re: RFC: vcs-snapshot-r1.eclass -- a better eclass for VCS snapshots (and others)


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.