| 1 |
On 15 May 2015 at 17:51, Michał Górny <mgorny@g.o> wrote: |
| 2 |
> Please note that the current syncing code does not verify the OpenPGP |
| 3 |
> signature to confirm the authenticity of fetched snapshots and deltas. |
| 4 |
> This feature will be added as soon as gentoo-keys support in Portage is |
| 5 |
> available. |
| 6 |
|
| 7 |
These are great news! |
| 8 |
We can retire the webrsync. |
| 9 |
Why not sign it similar to the portage snapshot are signed for now? |
| 10 |
The webrsync signature validation is quite simple. |
| 11 |
|
| 12 |
Just a reminder: please note the rollback prevention mechanism in |
| 13 |
webrsync, it is not enough to check signature, but also prevent older |
| 14 |
snapshot to be used. |
| 15 |
|
| 16 |
Regards, |
| 17 |
Alon |
Archives