| 1 |
On 10/30/2016 03:03 PM, Michał Górny wrote: |
| 2 |
> On Sun, 30 Oct 2016 14:44:26 -0700 |
| 3 |
> Zac Medico <zmedico@g.o> wrote: |
| 4 |
> |
| 5 |
>> On 10/30/2016 02:34 PM, Michał Górny wrote: |
| 6 |
>>> +The default depth of 10 was chosen as a compromise between space |
| 7 |
>>> +and bandwidth savings, and maintaining a history of recent commits. |
| 8 |
>>> +It is especially important for gentoo-mirror repositories where the most |
| 9 |
>>> +recent commits are automated and unsigned, and it is necessary to |
| 10 |
>>> +rewind the history to the newest signed commit for OpenPGP verification. |
| 11 |
>> |
| 12 |
>> Shouldn't people feel uneasy about the last commit being unverifiable? I |
| 13 |
>> would think that that last commit should be signed with an |
| 14 |
>> infrastructure key. |
| 15 |
> |
| 16 |
> I've even written a blog post [1] about that. Long story short, |
| 17 |
> trusting some random key used by automated process running on remote |
| 18 |
> server with no real security is insane. I've made a script that |
| 19 |
> verifies underlying repo commit instead, and diffs for metadata |
| 20 |
> changes. |
| 21 |
> |
| 22 |
> [1]:https://blogs.gentoo.org/mgorny/2016/04/15/why-automated-gentoo-mirror-commits-are-not-signed-and-how-to-verify-them-2/ |
| 23 |
|
| 24 |
An automated signature may not have the same degree of trust as a |
| 25 |
manually generated signature, but that does not make it completely |
| 26 |
worthless (is https worthless too?). For greater visibility, let's |
| 27 |
continue this discussion in the "[gentoo-dev] OpenPGP verification for |
| 28 |
gentoo-mirror repos" thread. |
| 29 |
-- |
| 30 |
Thanks, |
| 31 |
Zac |
Archives