1 |
On Fri, Jun 08, 2012 at 03:40:57PM +0200, Michael Weber wrote: |
2 |
> I'd suggest to generate an tarball (containing an keyring) to sign by |
3 |
> an master key (member of trustee/council/..) to be deployed on all |
4 |
> systems (like it's done on archlinux and debian). |
5 |
> |
6 |
> But the current vulnerability is exporting/importhing these keys to |
7 |
> pgp.mit.edu et al. |
8 |
|
9 |
If you just want to check for valid signatures, you can blindly |
10 |
download the keys from a keyserver. If you want to verify that those |
11 |
signing keys belong to Gentoo devs, you'll need a web of trust, just |
12 |
like any other PGP situation. The problem is distributing the trust, |
13 |
not the distributing the keys [1]. |
14 |
|
15 |
If you want a central policy for trusting Gentoo devs, you've already |
16 |
got an authentication scheme set up to log into the Gentoo servers. |
17 |
If you trust that scheme, and trust those servers against privilege |
18 |
escalation and the like, then if a dev can log into the server and |
19 |
configure their preferred key fingerprint, that seems like a |
20 |
sufficiently rigorous proof for the Gentoo infra folks to conclude |
21 |
that the dev in question owns the key in question. |
22 |
|
23 |
The fact that the Gentoo infra folks might trust the dev's key enough |
24 |
to publish snapshots signed by that key has no bearing on whether I, |
25 |
as a non Gentoo dev who knows none of the infra folks, can trust the |
26 |
key. I've got to establish my own web of trust to make that happen, |
27 |
and it's not something that I expect Gentoo to help me with. |
28 |
|
29 |
[1]: |
30 |
http://www.gnupg.org/gph/en/manual.html#AEN533 |
31 |
http://www.gnupg.org/gph/en/manual.html#AEN554 |
32 |
|
33 |
-- |
34 |
This email may be signed or encrypted with GnuPG (http://www.gnupg.org). |
35 |
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy |