1 |
On 10/30/2016 03:03 PM, Michał Górny wrote: |
2 |
> On Sun, 30 Oct 2016 14:44:26 -0700 |
3 |
> Zac Medico <zmedico@g.o> wrote: |
4 |
> |
5 |
>> On 10/30/2016 02:34 PM, Michał Górny wrote: |
6 |
>>> +The default depth of 10 was chosen as a compromise between space |
7 |
>>> +and bandwidth savings, and maintaining a history of recent commits. |
8 |
>>> +It is especially important for gentoo-mirror repositories where the most |
9 |
>>> +recent commits are automated and unsigned, and it is necessary to |
10 |
>>> +rewind the history to the newest signed commit for OpenPGP verification. |
11 |
>> |
12 |
>> Shouldn't people feel uneasy about the last commit being unverifiable? I |
13 |
>> would think that that last commit should be signed with an |
14 |
>> infrastructure key. |
15 |
> |
16 |
> I've even written a blog post [1] about that. Long story short, |
17 |
> trusting some random key used by automated process running on remote |
18 |
> server with no real security is insane. I've made a script that |
19 |
> verifies underlying repo commit instead, and diffs for metadata |
20 |
> changes. |
21 |
> |
22 |
> [1]:https://blogs.gentoo.org/mgorny/2016/04/15/why-automated-gentoo-mirror-commits-are-not-signed-and-how-to-verify-them-2/ |
23 |
|
24 |
An automated signature may not have the same degree of trust as a |
25 |
manually generated signature, but that does not make it completely |
26 |
worthless (is https worthless too?). For greater visibility, let's |
27 |
continue this discussion in the "[gentoo-dev] OpenPGP verification for |
28 |
gentoo-mirror repos" thread. |
29 |
-- |
30 |
Thanks, |
31 |
Zac |