| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
| So is the solution. It was posted a few messages back. We just need some |
| 5 |
| admin to drop a find script on the main server and setup the required |
| 6 |
| keys. Once the signatures are there, anyone can write the userland script |
| 7 |
| to do the verification, but until then, there's no point to write it since |
| 8 |
| the server implementation is not known. |
| 9 |
| |
| 10 |
| - Chris |
| 11 |
|
| 12 |
Read Peter's message moments after sending mine. |
| 13 |
|
| 14 |
I like Peter's idea. But the question is still, where to keep the public |
| 15 |
key and private key. Yes, maybe it's better to trust the developers than |
| 16 |
any mirror admin. |
| 17 |
|
| 18 |
Adding to what Peter said, what about having the public and private key |
| 19 |
changed periodicaly (developers come and go, keys should come and go |
| 20 |
too) and have the portage download automaticaly the public key and |
| 21 |
revokation certificates when needed from a single server? Ex: www.gentoo.org |
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
-----BEGIN PGP SIGNATURE----- |
| 27 |
Version: GnuPG v1.2.6 (GNU/Linux) |
| 28 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 29 |
|
| 30 |
iD8DBQFBjlWbfLPhlaxNQk0RAqfZAJsGaLid/8BzfXhQVbsNlLDKgfaUbQCggsW7 |
| 31 |
kc2rYAq3W0CdOCTgDYcQ0jQ= |
| 32 |
=GziW |
| 33 |
-----END PGP SIGNATURE----- |
| 34 |
|
| 35 |
-- |
| 36 |
gentoo-security@g.o mailing list |
Archives