From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-73651-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 54AFD1384B4
	for <garchives@archives.gentoo.org>; Sun, 13 Dec 2015 18:51:21 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id BAF0521C0A6;
	Sun, 13 Dec 2015 18:51:13 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C1FD521C055
	for <gentoo-dev@lists.gentoo.org>; Sun, 13 Dec 2015 18:51:12 +0000 (UTC)
Received: from localhost (unknown [91.246.99.151])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: bircoph)
	by smtp.gentoo.org (Postfix) with ESMTPSA id F2E5F340766
	for <gentoo-dev@lists.gentoo.org>; Sun, 13 Dec 2015 18:51:10 +0000 (UTC)
Date: Sun, 13 Dec 2015 21:50:39 +0300
From: Andrew Savchenko <bircoph@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] repo/gentoo.git, or how committing is challenging
Message-Id: <20151213215039.fdbaec6a7d5248e82fb882ac@gentoo.org>
In-Reply-To: <566DAD2F.1010100@gentoo.org>
References: <566DACB3.2010105@gentoo.org>
	<566DAD2F.1010100@gentoo.org>
X-Mailer: Sylpheed 3.4.3 (GTK+ 2.24.20; i686-pc-linux-gnu)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 micalg="PGP-SHA512";
 boundary="Signature=_Sun__13_Dec_2015_21_50_39_+0300_dpajRowWT/wYoBB="
X-Archives-Salt: 2cf50537-4174-4719-ad43-69cbc004df40
X-Archives-Hash: 11b2e1907789fdba3b4f0512ea515471

--Signature=_Sun__13_Dec_2015_21_50_39_+0300_dpajRowWT/wYoBB=
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

On Sun, 13 Dec 2015 18:38:55 +0100 Patrick Lauer wrote:
> On 12/13/2015 06:36 PM, Patrick Lauer wrote:
> >  So apparently we're signing things with gpg now
>=20
> And a related question:
>=20
> How would I actually verify the signatures in a meaningful way?

git log --show-signature does this using GnuPG.

Of course, in order to gpg to work one have to mark dev keys as
trusted, they can be verified using ldap or several public
keyservers. LDAP is more reliable, of course, but this method works
only for devs (and probably some stuff members) having an access
here.

> ... and why is that not default then.


Best regards,
Andrew Savchenko

--Signature=_Sun__13_Dec_2015_21_50_39_+0300_dpajRowWT/wYoBB=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJWbb3/AAoJEPZTWjO6HuSNtUAQAIrrt3lNhw17LjEeY4ZEtdoQ
AB5etDSXoGusi7DP0Wvi3baXKb8TNnStGuiiyXJKq2MxeR7U5a4EpJSzLLBiC1DC
dE/HycH8/tpwsUGeAwC4j5C/B8a+DGTJ9E6ylpvB+CEmNNIiuJsyTO8/rLpjJ6FQ
sUmoREohHhnuVAn4QKol10kfgt8OqlaQEHixcL/tavHlGnmHyv3h3/4sxitvL81e
D4lLT4ZvbF6CD2m+ux4B9N9F96HwvrIE1yUjwkrnuyCO8b74niXjxrr7SP359LgO
GTRdzwniLXCajyTvaGwGqRS4ud3Gl+A/JY39Y3Hktnd62W2uTGHAX/YuRchmpdfJ
O2n1F1PntUSEZWiqpVpCRrTnmxsB1EBhPWLEvLrpN3aOc8/G51/bG/ZF7MevwBY9
a8pkiDIRhaQagMlutwX8HhNrLwoaqiJqNWho+3UdOi46dqO8BjlKJtmDmNPGxekf
QMRHNzEQ/oMM1QsM/gql8IVvv8hiDMdnU1XhS5K721jeRERs0Tx+F28fmBB/sp8/
NYEOebN8F5MwDKW9luK4+uLusBBjLjeTgTVUJ5z6AQG81YZovqLKsSM2Q2qPwcsF
D6Ugw1aiARQuqZFPtWX3XE3d4o+9r6bKtDvvZxV3Tp0jVsoOfYJt8IuAd6713s0P
ghuBnIyQ4QxHi2LjoNbZ
=E9LQ
-----END PGP SIGNATURE-----

--Signature=_Sun__13_Dec_2015_21_50_39_+0300_dpajRowWT/wYoBB=--