From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NGAYC-0000vC-8F for garchives@archives.gentoo.org; Thu, 03 Dec 2009 12:12:48 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D88ADE0593 for ; Thu, 3 Dec 2009 12:12:47 +0000 (UTC) Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.36]) by pigeon.gentoo.org (Postfix) with ESMTP id B5EB6E07F8 for ; Thu, 3 Dec 2009 10:33:01 +0000 (UTC) Received: from [93.210.42.137] (helo=arkane.local) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from ) id 1NG8zc-0001KL-R0 for gentoo-dev@lists.gentoo.org; Thu, 03 Dec 2009 11:33:00 +0100 Received: by arkane.local (Postfix, from userid 1000) id B5A784B118; Thu, 3 Dec 2009 11:32:42 +0100 (CET) Date: Thu, 3 Dec 2009 11:32:42 +0100 From: Torsten Veller To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] Individual developer signing Message-ID: <20091203103242.GA6316@veller.net> Mail-Followup-To: gentoo-dev@lists.gentoo.org References: <7c612fc60911251350k3560b7d7sf4e9c867a30b0d90@mail.gmail.com> <20091130113051.GA32489@chopin.edu.pl> <4B14369D.1040608@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Face: ===_______=8)_=8)_______A_very_very_nice_face_______=8)_=8)_______=== Jabber-ID: tove@jabber.ccc.de X-PGP-Fingerprint: 0416 3C11 8D79 65B9 AAD0 2065 BBC7 14D1 9C67 CD96 User-Agent: Mutt/1.5.20 (2009-08-27) X-Df-Sender: 1067115 X-Archives-Salt: b98fbd9f-c59c-492a-b708-f2c61aea27f3 X-Archives-Hash: ffa84e88706f437ed527346769a144ba * "Robin H. Johnson" : > The GLEP on Individual developer signing has not made it into a Draft > yet. > > But you can view the very brief version here: > http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security?view=markup [...] > > 2. Every developer signs everything 100% of the time (make it a QA > > check). > +1 on this. In the GLEPs i missed the point where the signatures of Manifests are verified. Only the MetaManifest gets verified. So what's the advantage of individually signed Manifests? The only thing we can check: Is the key used for signing listed in ldap (and thus in "the keyring of automated Gentoo keys")? Are the keys in ldap really mine? Do I miss anything? BTW: About a third of the Manifests are signed [1]. We didn't improve since 2005/2006 [2]. The two parties are working hard against each other [3]. 55 Manifests are signed by revoked keys [4]. [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png [2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png [3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png [4] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/signatures_by_revoked_keys.txt