| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 03/25/2011 07:55 AM, "Paweł Hajdan, Jr." wrote: |
| 5 |
> On 3/24/11 10:59 PM, Mike Frysinger wrote: |
| 6 |
>> is there any reason we should allow people to commit unsigned |
| 7 |
>> Manifest's anymore ? generating/posting/enabling a gpg key is |
| 8 |
>> ridiculously easy and there's really no excuse for a dev to not have |
| 9 |
>> done this already. |
| 10 |
> |
| 11 |
> Firstly, I'm excited we're moving towards a signed portage tree. |
| 12 |
> |
| 13 |
> We can start with a repoman warning (yellow) and a transition period. |
| 14 |
> |
| 15 |
>> when i look at the tree, the signed stats are stupid low: |
| 16 |
>> $ find *-* -maxdepth 2 -name Manifest | wc -l |
| 17 |
>> 14438 |
| 18 |
>> $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP |
| 19 |
>> SIGNATURE' {} + | wc -l |
| 20 |
>> 6032 |
| 21 |
> |
| 22 |
> If I'm interpreting the data correctly, about 43% of Manifest files are |
| 23 |
> signed. That's not too bad, I was expecting something more like 5%. |
| 24 |
> |
| 25 |
> By the way, is it acceptable to use the same GPG key for e-mail and |
| 26 |
> signing packages? |
| 27 |
|
| 28 |
Yes. In fact, I'd recommend it. Saves having to try to keep track of 2 |
| 29 |
keys / dev. |
| 30 |
|
| 31 |
Having said that, for those that just use "keys" for e-mails (most of |
| 32 |
us), it would make more sense to use full blow SSL certs in the long run. |
| 33 |
(Mathematically, same thing. But a cert needs to be signed by a CA, and |
| 34 |
we should ideally maintain a Gentoo CA.) I need to get up to speed with |
| 35 |
the GLEP's pertaining to this. Let's just say I have a fair bit of |
| 36 |
experience in this field. I may be able to offer some ideas / |
| 37 |
suggestions. I would very much like to see this happen. |
| 38 |
|
| 39 |
But for the meantime, yes, it's safe. |
| 40 |
|
| 41 |
- -- |
| 42 |
Dane Smith (c1pher) |
| 43 |
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86 |
| 44 |
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index |
| 45 |
-----BEGIN PGP SIGNATURE----- |
| 46 |
Version: GnuPG v2.0.17 (GNU/Linux) |
| 47 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 48 |
|
| 49 |
iQIcBAEBAgAGBQJNjIO0AAoJEEsurZwMLhUxlsIP/2oaWnkWr160fj8027WA3Jbe |
| 50 |
oI5dXXvZr2RDMxFXKcyx0qiTfVlhVClJIBn8wANf41uKmMh6azIN5Ug4cDk++0ku |
| 51 |
qYXvIne4W65TCifU44h80AAOEVBLQwN+d2VCeq7/qu6qJp9PT1SIzCaZZCtRAvOK |
| 52 |
NwH5ZuUTrcewa/SbADIwP2hbQiLs8m241XJNNWGcIgflbO0OhcvUPlLM6/fUS56X |
| 53 |
364EUGDo/TAAtkrIhWKKD2xsRoPmmO2uE7euPNhI4pFGUbKXVtb5Lb/qY9iLDgYy |
| 54 |
PciHr2yFwOY1P16hr51Dbo8b5rPAncIHJFBUBHd89OnZHCwkBUP1z7l1J13NfClw |
| 55 |
/hoYQe0DO/CrWz2pKF4I3pxP1MnULKKB2ib8RFswCJY2mxKvGeGJoQyZpT/GtCGb |
| 56 |
vN8o20Kd3Ci+CEpeIo3sqxt04kNoMvMLEq9ZJ++a8c0wijX63ChRL5/+qRxzGDtc |
| 57 |
I9pN34RDuAuUck0Wp+R/TTG4Bjh5ixQkeh199NoqjNLA02rE0QVElm7PlIJxg36/ |
| 58 |
pp101gH68H0t6EGAFrnGHAG6w/8yAz+Mcm+4WLjpDAPSMXYahZXOCKFn9WV0WgBS |
| 59 |
e0EG2xr8BD7SqUrZRSlxjGsbFVCVaGvS9qFO4e2B4dKPy1mjwcTdBQRGZOfd3kGM |
| 60 |
WDV73IcPr2K9cQFJD+Te |
| 61 |
=yiPl |
| 62 |
-----END PGP SIGNATURE----- |
Archives