List Archive: gentoo-dev
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Am 29.09.2011 17:02, schrieb Anthony G. Basile:
> Hi everyone,
> The issue of Manifest signing came up in #gentoo-hardened channel ...
> again. Its clearly a security issue and yet many manifests in the tree
> are still not signed. Is there any chance that we can agree to reject
> unsigned manifests? Possibly a question for the Council to adjudicate?
I followed the threads about manifest signing with interest and even had
a look at the manifest signing guide . Sounds nice at first view.
But, please correct me, if I'm wrong. I didn't find a place where these
signatures are verified.
Is manifest signing for the infrastructure team, enabling them to verify
the author of a commit (see GLEP57 )? Wouldn't this be obsoleted by
commit signing if the move to git is done ()?
If it is (also) for the users, why is there no code for it in portage
Okay "why" is clear. Obviously nobody was maintaining it...
I thought about signing the manifests of my overlay. But this is
senseless, if there is no automatic check. I can't think of any user
verifying manifest signatures by hand.
To me it looks like there are repeating complaints about missing
signatures, but I don't see any verification methods for existing
At the moment there are 10608 of 15085 manifests signed in my portage
tree. But I can't check them, because I don't have the public keys and
if I fetch them from a public keyserver, I still don't know, if they
really belong to the corresponding Gentoo developers.
Is there some kind of Gentoo Keyring I don't know of?
How does infrastructure team check, if a GPG key belongs to a developer?
The Manifest signing guide  simply says "Upload the key to a
keyserver". Everbody can upload a key to the public keyservers. An
attacker, able to modify a signed Manifest, could simply create a new
key on the developers name and use it to sign the modified manifest.
Therefore it must be clear which key really belongs to a dev.
Furthermore the Tree-Signing-GLEPs  seem to be incomplete.
This looks like the right place to continue work on Tree Signing.