1 |
I'm merging in Michał's reply from the related "[gentoo-portage-dev] |
2 |
[PATCH] [sync] Increase the default git sync-depth to 10" thread. |
3 |
|
4 |
On 10/30/2016 02:58 PM, Zac Medico wrote: |
5 |
> On 10/30/2016 01:44 PM, Michał Górny wrote: |
6 |
>> Hi, everyone. |
7 |
>> |
8 |
>> Just a quick note: I've prepared a simple tool [1] to verify clones of |
9 |
>> gentoo-mirror repositories. It's still early WiP but can be easily used |
10 |
>> to verify a clone: |
11 |
>> |
12 |
>> $ ./verify-repo gentoo |
13 |
>> [/var/db/repos/gentoo] |
14 |
>> Untrusted signature on 42ccdf48d718287e981c00f25caea2242262906a |
15 |
>> (you may need to import/trust developer keys) |
16 |
>> Note: unsigned changes in metadata and/or caches found (it's fine) |
17 |
> |
18 |
> I don't think it's acceptable to use an unsigned metadata/cache commit. |
19 |
> Can't we use an infrastructure key for this? |
20 |
|
21 |
On 10/30/2016 03:03 PM, Michał Górny wrote: |
22 |
> I've even written a blog post [1] about that. Long story short, |
23 |
> trusting some random key used by automated process running on remote |
24 |
> server with no real security is insane. I've made a script that |
25 |
> verifies underlying repo commit instead, and diffs for metadata |
26 |
> changes. |
27 |
> |
28 |
> |
29 |
[1]:https://blogs.gentoo.org/mgorny/2016/04/15/why-automated-gentoo-mirror-commits-are-not-signed-and-how-to-verify-them-2/ |
30 |
|
31 |
An automated signature may not have the same degree of trust as a |
32 |
manually generated signature, but that does not make it completely |
33 |
worthless (is https worthless too?). |
34 |
-- |
35 |
Thanks, |
36 |
Zac |