Gentoo Archives: gentoo-dev

From: Michael Weber <xmw@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing
Date: Fri, 08 Jun 2012 13:43:09
In Reply to: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing by Rich Freeman
Hash: SHA256

On 06/08/2012 01:36 PM, Rich Freeman wrote:

> I doubt any dev checks the signatures on manifest files before > they overwrite them with a new signature. If they did it wouldn't > matter since those signatures aren't even mandatory anyway. > Certainly it isn't intuitive to me that when I perform a signature > on changes I make that I'm also vouching for work committed by > somebody else before me.
I'm trying to do this, but first we need an keyring with all dev gpg keys - securely distributed - to verify the signatures. We (amost all) have gentoogpg key-ids in ldap, most have fingerprints in gentoofingerprint in ldap, but we have to download these keys from public keyservers. And its not mandatory to either sign at all or sign with keys mentioned in ldap. Someone pointed me on tove's list of gpg keys used for signing [1]. I'd suggest to generate an tarball (containing an keyring) to sign by an master key (member of trustee/council/..) to be deployed on all systems (like it's done on archlinux and debian). But the current vulnerability is exporting/importhing these keys to et al. Suggestions? Michael [1] - -- Gentoo Dev -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - iF4EAREIAAYFAk/SAOkACgkQknrdDGLu8JBWywD/e4kT9jUt3CFFMZgMla14zdwT dmZZs4R5to9CikKAFqwA/1dcXV9/8H/qrW0q8yO7pEIdCdr8RD2d0mochceEeyxd =+k9D -----END PGP SIGNATURE-----


Subject Author
Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing "W. Trevor King" <wking@×××××××.us>