| 1 |
I'm merging in Michał's reply from the related "[gentoo-portage-dev] |
| 2 |
[PATCH] [sync] Increase the default git sync-depth to 10" thread. |
| 3 |
|
| 4 |
On 10/30/2016 02:58 PM, Zac Medico wrote: |
| 5 |
> On 10/30/2016 01:44 PM, Michał Górny wrote: |
| 6 |
>> Hi, everyone. |
| 7 |
>> |
| 8 |
>> Just a quick note: I've prepared a simple tool [1] to verify clones of |
| 9 |
>> gentoo-mirror repositories. It's still early WiP but can be easily used |
| 10 |
>> to verify a clone: |
| 11 |
>> |
| 12 |
>> $ ./verify-repo gentoo |
| 13 |
>> [/var/db/repos/gentoo] |
| 14 |
>> Untrusted signature on 42ccdf48d718287e981c00f25caea2242262906a |
| 15 |
>> (you may need to import/trust developer keys) |
| 16 |
>> Note: unsigned changes in metadata and/or caches found (it's fine) |
| 17 |
> |
| 18 |
> I don't think it's acceptable to use an unsigned metadata/cache commit. |
| 19 |
> Can't we use an infrastructure key for this? |
| 20 |
|
| 21 |
On 10/30/2016 03:03 PM, Michał Górny wrote: |
| 22 |
> I've even written a blog post [1] about that. Long story short, |
| 23 |
> trusting some random key used by automated process running on remote |
| 24 |
> server with no real security is insane. I've made a script that |
| 25 |
> verifies underlying repo commit instead, and diffs for metadata |
| 26 |
> changes. |
| 27 |
> |
| 28 |
> |
| 29 |
[1]:https://blogs.gentoo.org/mgorny/2016/04/15/why-automated-gentoo-mirror-commits-are-not-signed-and-how-to-verify-them-2/ |
| 30 |
|
| 31 |
An automated signature may not have the same degree of trust as a |
| 32 |
manually generated signature, but that does not make it completely |
| 33 |
worthless (is https worthless too?). |
| 34 |
-- |
| 35 |
Thanks, |
| 36 |
Zac |
Archives