1 |
On Fri, 23 Jan 2015 16:16:25 -0500 |
2 |
Michael Orlitzky <mjo@g.o> wrote: |
3 |
|
4 |
> On 01/23/2015 03:22 PM, Michał Górny wrote: |
5 |
> > Dnia 2015-01-23, o godz. 14:26:48 |
6 |
> > Michael Orlitzky <mjo@g.o> napisał(a): |
7 |
> > |
8 |
> >> On 01/23/2015 02:13 PM, Michał Górny wrote: |
9 |
> >>> To help you enable the correct USE flags, we are providing a |
10 |
> >>> Python script which generates the correct value from |
11 |
> >>> your /proc/cpuinfo [1]. The Python script can be downloaded and |
12 |
> >>> executed using the following command: |
13 |
> >>> |
14 |
> >>> $ wget -O - dev.gentoo.org/~mgorny/cpuinfo2cpuflags-x86.py | |
15 |
> >>> python |
16 |
> >> |
17 |
> >> Can we not encourage people to pipe stuff from a plain-http |
18 |
> >> website into an interpreter? |
19 |
> > |
20 |
> > Find a better solution. |
21 |
> > |
22 |
> |
23 |
> Is there an easy way for users to verify our signatures against the |
24 |
> keys in LDAP? |
25 |
> |
26 |
> Even `wget --no-check-certificate` would be a big improvement. Or |
27 |
> since Firefox seems happy with the dev.gentoo.org certificate, we |
28 |
> could just ask them to download it with their browsers. |
29 |
> |
30 |
> Longer term: can we make wget like our SSL certificate? |
31 |
> |
32 |
|
33 |
Yes, if this data or python code is to be downloaded routinely, then |
34 |
api.gentoo.org is the new https service specifically designed for this. |
35 |
|
36 |
Please talk to infra for a subdirectory assignment for this data/code. |
37 |
|
38 |
Also, for python based apps, dev-python/ssl-fetch was specifically |
39 |
designed for retrieving from api.g.o (or any url) with certificate |
40 |
authentication. |
41 |
|
42 |
Taking it one step further, the gentoo-keys project (uses ssl-fetch) is |
43 |
just entering the tree and can be used to download and verify files and |
44 |
gpg signatures of those files. app-crypt/gkeys-0.1-r1 is in the tree |
45 |
and installs with the gentoo release media gpg keys and downloads the |
46 |
current gentoo-devs seed file. The developers gpg keys must be |
47 |
installed for them to be verified against. |
48 |
|
49 |
eg: |
50 |
|
51 |
$ gkeys verify -F dev.gentoo.org/~mgorny/cpuinfo2cpuflags-x86.py |
52 |
|
53 |
should do it, it will automatically look for a matching *.sig to use to |
54 |
verify with against the installed gpg keys. It can even save and use |
55 |
timestamps to prevent unneeded downloads for unchanged data in a local |
56 |
cache. |
57 |
|
58 |
But, for gkeys to become commonplace in usage, it also requires devs to |
59 |
fix their current keys and LDAP data, or generate new GLEP 63 compliant |
60 |
keys. But that is an off topic discussion |
61 |
|
62 |
-- |
63 |
Brian Dolbec <dolsen> |