| 1 |
Hi! |
| 2 |
|
| 3 |
On Mon, 08 Nov 2004, Kurt Lieber wrote: |
| 4 |
> > > cat /usr/portage/sys-apps/portage/Manifest |
| 5 |
> > |
| 6 |
> > This does not contain a GPG signature here. Of all packages... |
| 7 |
> |
| 8 |
> It did when I typed that message last night. Someone must have committed a |
| 9 |
> new version of portage without signing things. I agree, portage should be |
| 10 |
> signed. It's still a new process for us, so it will take time to get to |
| 11 |
> 100%. |
| 12 |
> |
| 13 |
> > I've run a script across the entire tree, collecting 43 different |
| 14 |
> > signature keys IDs from Manifest files in all (from a total of |
| 15 |
> > 2074 signed Manifest files, making up about 1/4). Of those keys, |
| 16 |
> > 16 were unavailable on the Subkeys Public Key Network (listed |
| 17 |
> > below). Where can I get those? |
| 18 |
> |
| 19 |
> Good question -- I don't know. They should be available on pgp.mit.edu, |
| 20 |
> but if they're not, then I'd suggest start filing bugs against those |
| 21 |
> individual packages. (NOT portage bugs) |
| 22 |
|
| 23 |
I just tried: none of them is. I'll file a slew of bugs today (or |
| 24 |
maybe tonight, depending on when I can find the time). |
| 25 |
|
| 26 |
What i think would be best is providing them by keyserver; I |
| 27 |
suggest the subkeys.pgp.net network as pretty much all other |
| 28 |
keyservers use server software which is buggy (details on that |
| 29 |
can be found on the corresponding mailing lists for gnupg). |
| 30 |
|
| 31 |
The idea of providing the keyring with the install images is a |
| 32 |
double-edged sword: if I have no Internet, not having any keys |
| 33 |
might be bad, but providing them with the image opens an attack |
| 34 |
vector. |
| 35 |
|
| 36 |
On the other hand, who will install untrustworthy stuff if he |
| 37 |
can't access the Internet? |
| 38 |
|
| 39 |
Greets, |
| 40 |
Tobias |
| 41 |
|
| 42 |
-- |
| 43 |
export DISPLAY=vt100 |
| 44 |
|
| 45 |
-- |
| 46 |
gentoo-security@g.o mailing list |
Archives