List Archive: gentoo-dev
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
-----BEGIN PGP SIGNED MESSAGE-----
On 06/08/2012 01:36 PM, Rich Freeman wrote:
> I doubt any dev checks the signatures on manifest files before
> they overwrite them with a new signature. If they did it wouldn't
> matter since those signatures aren't even mandatory anyway.
> Certainly it isn't intuitive to me that when I perform a signature
> on changes I make that I'm also vouching for work committed by
> somebody else before me.
I'm trying to do this,
but first we need an keyring with all dev gpg keys - securely
distributed - to verify the signatures.
We (amost all) have gentoogpg key-ids in ldap, most have fingerprints
in gentoofingerprint in ldap, but we have to download these keys from
public keyservers. And its not mandatory to either sign at all or sign
with keys mentioned in ldap.
Someone pointed me on tove's list of gpg keys used for signing .
I'd suggest to generate an tarball (containing an keyring) to sign by
an master key (member of trustee/council/..) to be deployed on all
systems (like it's done on archlinux and debian).
But the current vulnerability is exporting/importhing these keys to
pgp.mit.edu et al.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----