Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: Zac Medico <zmedico@g.o>
Cc: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] OpenPGP verification for gentoo-mirror repos
Date: Mon, 31 Oct 2016 08:21:46
Message-Id: 20161031092131.1160c4c9.mgorny@gentoo.org
In Reply to: Re: [gentoo-dev] OpenPGP verification for gentoo-mirror repos by Zac Medico
1 On Sun, 30 Oct 2016 15:36:16 -0700
2 Zac Medico <zmedico@g.o> wrote:
3
4 > I'm merging in Michał's reply from the related "[gentoo-portage-dev]
5 > [PATCH] [sync] Increase the default git sync-depth to 10" thread.
6 >
7 > On 10/30/2016 02:58 PM, Zac Medico wrote:
8 > > On 10/30/2016 01:44 PM, Michał Górny wrote:
9 > >> Hi, everyone.
10 > >>
11 > >> Just a quick note: I've prepared a simple tool [1] to verify clones of
12 > >> gentoo-mirror repositories. It's still early WiP but can be easily used
13 > >> to verify a clone:
14 > >>
15 > >> $ ./verify-repo gentoo
16 > >> [/var/db/repos/gentoo]
17 > >> Untrusted signature on 42ccdf48d718287e981c00f25caea2242262906a
18 > >> (you may need to import/trust developer keys)
19 > >> Note: unsigned changes in metadata and/or caches found (it's fine)
20 > >
21 > > I don't think it's acceptable to use an unsigned metadata/cache commit.
22 > > Can't we use an infrastructure key for this?
23 >
24 > On 10/30/2016 03:03 PM, Michał Górny wrote:
25 > > I've even written a blog post [1] about that. Long story short,
26 > > trusting some random key used by automated process running on remote
27 > > server with no real security is insane. I've made a script that
28 > > verifies underlying repo commit instead, and diffs for metadata
29 > > changes.
30 > >
31 > >
32 > [1]:https://blogs.gentoo.org/mgorny/2016/04/15/why-automated-gentoo-mirror-commits-are-not-signed-and-how-to-verify-them-2/
33 >
34 > An automated signature may not have the same degree of trust as a
35 > manually generated signature, but that does not make it completely
36 > worthless (is https worthless too?).
37
38 I disagree. We don't have any good way of expressing this degree of
39 trust. Therefore, the user will commonly presume both are of the same
40 degree of trust.
41
42 --
43 Best regards,
44 Michał Górny
45 <http://dev.gentoo.org/~mgorny/>
Report Message
Find on MARC Find on Google Groups