1 |
On Thu, 18 May 2006 23:45:17 +0200, Patrick Lauer wrote: |
2 |
|
3 |
> Hello all, |
4 |
|
5 |
snip... |
6 |
|
7 |
I have a question about package Manifests. On reviewing portage, some |
8 |
Manifests are signed by various GPG keys, and others are not signed at all! |
9 |
|
10 |
I submitted something to Patrick off list (largely because I'm not a dev, |
11 |
nor a great security expert) which uses a hash of all Manifest files as a |
12 |
basis for portage validation. However, the signing of the Manifest files |
13 |
themselves are inconsistent which poses a few problems. |
14 |
|
15 |
Who signs the Manifests? Why are some unsigned? Is there a single Gentoo |
16 |
Security Key (like I know Slackware has and some other distros to ensure |
17 |
the authenticity of their files)? |
18 |
|
19 |
TIA |
20 |
|
21 |
-- |
22 |
Peter |
23 |
|
24 |
|
25 |
-- |
26 |
gentoo-dev@g.o mailing list |