Gentoo Archives: gentoo-dev

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] integrity of stage files
Date: Sun, 09 Oct 2011 00:02:51
In Reply to: Re: [gentoo-dev] integrity of stage files by "Paweł Hajdan
On Sat, Oct 08, 2011 at 04:39:40PM -0700, "Paweł Hajdan, Jr." wrote:
> On 10/8/11 3:43 PM, Robin H. Johnson wrote: > >> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we > >> be using something stronger? > > Fixed in Catalyst now. > >;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe > > So when the stagebuilders update their Catalyst, they will be generated > > with newer hashes. > > Thank you for a quick reaction, but maybe in one aspect it was too > quick: > <> > tells people to use md5sum, and the patch above _removes_ md5 sum, which > means the Handbook instructions now won't work. > > Suggested course of action: > > 1. Please re-add md5 sum.
> 2. File a bug to modify the handbook to verify sha sum instead.
> 3. Then remove the checksum. > > >> 2. I noticed the checksums are signed (.asc files). With what key are > >> they signed? How is that key handled, and how to ensure people use the > >> right key when verifying the signature? > > Documented here: > > > Ah, I just forgot about that page. Okay, so can we also update the > Handbook to include GPG signature checking?
It DOES already mention checking the signature: Also opened another bug for correcting keys. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@g.o GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85


Subject Author
Re: [gentoo-dev] integrity of stage files "Paweł Hajdan