| 1 |
On Fri, 23 Jan 2015 16:16:25 -0500 |
| 2 |
Michael Orlitzky <mjo@g.o> wrote: |
| 3 |
|
| 4 |
> On 01/23/2015 03:22 PM, Michał Górny wrote: |
| 5 |
> > Dnia 2015-01-23, o godz. 14:26:48 |
| 6 |
> > Michael Orlitzky <mjo@g.o> napisał(a): |
| 7 |
> > |
| 8 |
> >> On 01/23/2015 02:13 PM, Michał Górny wrote: |
| 9 |
> >>> To help you enable the correct USE flags, we are providing a |
| 10 |
> >>> Python script which generates the correct value from |
| 11 |
> >>> your /proc/cpuinfo [1]. The Python script can be downloaded and |
| 12 |
> >>> executed using the following command: |
| 13 |
> >>> |
| 14 |
> >>> $ wget -O - dev.gentoo.org/~mgorny/cpuinfo2cpuflags-x86.py | |
| 15 |
> >>> python |
| 16 |
> >> |
| 17 |
> >> Can we not encourage people to pipe stuff from a plain-http |
| 18 |
> >> website into an interpreter? |
| 19 |
> > |
| 20 |
> > Find a better solution. |
| 21 |
> > |
| 22 |
> |
| 23 |
> Is there an easy way for users to verify our signatures against the |
| 24 |
> keys in LDAP? |
| 25 |
> |
| 26 |
> Even `wget --no-check-certificate` would be a big improvement. Or |
| 27 |
> since Firefox seems happy with the dev.gentoo.org certificate, we |
| 28 |
> could just ask them to download it with their browsers. |
| 29 |
> |
| 30 |
> Longer term: can we make wget like our SSL certificate? |
| 31 |
> |
| 32 |
|
| 33 |
Yes, if this data or python code is to be downloaded routinely, then |
| 34 |
api.gentoo.org is the new https service specifically designed for this. |
| 35 |
|
| 36 |
Please talk to infra for a subdirectory assignment for this data/code. |
| 37 |
|
| 38 |
Also, for python based apps, dev-python/ssl-fetch was specifically |
| 39 |
designed for retrieving from api.g.o (or any url) with certificate |
| 40 |
authentication. |
| 41 |
|
| 42 |
Taking it one step further, the gentoo-keys project (uses ssl-fetch) is |
| 43 |
just entering the tree and can be used to download and verify files and |
| 44 |
gpg signatures of those files. app-crypt/gkeys-0.1-r1 is in the tree |
| 45 |
and installs with the gentoo release media gpg keys and downloads the |
| 46 |
current gentoo-devs seed file. The developers gpg keys must be |
| 47 |
installed for them to be verified against. |
| 48 |
|
| 49 |
eg: |
| 50 |
|
| 51 |
$ gkeys verify -F dev.gentoo.org/~mgorny/cpuinfo2cpuflags-x86.py |
| 52 |
|
| 53 |
should do it, it will automatically look for a matching *.sig to use to |
| 54 |
verify with against the installed gpg keys. It can even save and use |
| 55 |
timestamps to prevent unneeded downloads for unchanged data in a local |
| 56 |
cache. |
| 57 |
|
| 58 |
But, for gkeys to become commonplace in usage, it also requires devs to |
| 59 |
fix their current keys and LDAP data, or generate new GLEP 63 compliant |
| 60 |
keys. But that is an off topic discussion |
| 61 |
|
| 62 |
-- |
| 63 |
Brian Dolbec <dolsen> |
Archives