Gentoo Archives: gentoo-dev

From: "PaweĊ‚ Hajdan
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] integrity of stage files
Date: Sat, 08 Oct 2011 23:40:24
In Reply to: Re: [gentoo-dev] integrity of stage files by "Robin H. Johnson"
On 10/8/11 3:43 PM, Robin H. Johnson wrote:
>> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we >> be using something stronger? > Fixed in Catalyst now. >;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe > So when the stagebuilders update their Catalyst, they will be generated > with newer hashes.
Thank you for a quick reaction, but maybe in one aspect it was too quick: <> tells people to use md5sum, and the patch above _removes_ md5 sum, which means the Handbook instructions now won't work. Suggested course of action: 1. Please re-add md5 sum. 2. File a bug to modify the handbook to verify sha sum instead. 3. Then remove the checksum.
>> 2. I noticed the checksums are signed (.asc files). With what key are >> they signed? How is that key handled, and how to ensure people use the >> right key when verifying the signature? > Documented here: >
Ah, I just forgot about that page. Okay, so can we also update the Handbook to include GPG signature checking?


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-dev] integrity of stage files "Robin H. Johnson" <robbat2@g.o>