1 |
On 15 May 2015 at 17:51, Michał Górny <mgorny@g.o> wrote: |
2 |
> Please note that the current syncing code does not verify the OpenPGP |
3 |
> signature to confirm the authenticity of fetched snapshots and deltas. |
4 |
> This feature will be added as soon as gentoo-keys support in Portage is |
5 |
> available. |
6 |
|
7 |
These are great news! |
8 |
We can retire the webrsync. |
9 |
Why not sign it similar to the portage snapshot are signed for now? |
10 |
The webrsync signature validation is quite simple. |
11 |
|
12 |
Just a reminder: please note the rollback prevention mechanism in |
13 |
webrsync, it is not enough to check signature, but also prevent older |
14 |
snapshot to be used. |
15 |
|
16 |
Regards, |
17 |
Alon |