Gentoo Archives: gentoo-dev

From: Jeroen Roovers <jer@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Re: rejecting unsigned commits
Date: Tue, 05 Apr 2011 03:37:52
In Reply to: Re: [gentoo-dev] Re: rejecting unsigned commits by "Andreas K. Huettel"
1 On Fri, 25 Mar 2011 10:44:31 +0100
2 "Andreas K. Huettel" <dilfridge@g.o> wrote:
4 > * the signature proves the key belongs to the e-mail address, nothing
5 > else
7 Anyone could generate a signature with one of my @g.o e-mail addresses
8 in it, then pass themselves off as myself, right? If they then trick you
9 into thinking that I sent the mail you received, signed with their key,
10 they're all set. Having the "right" e-mail address in the key would not
11 improve anything.
13 > * the e-mail address is given to the owner of the key during
14 > recruitment
16 It's been a while, but I am certain I did not have a
17 address yet _during_ recruitment, and I was instead asked to provide an
18 address that I _did_ already use. It looks like that still has not
19 changed.[1] Looking at the e-mail from that time, it seems I had been
20 asked to sign my SSH key with it and send it to recruiters@.
23 jer
26 [1]