From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q35jE-0007q3-CV for garchives@archives.gentoo.org; Fri, 25 Mar 2011 12:02:56 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D1D5A1C0E2; Fri, 25 Mar 2011 12:02:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 6D4151C04B for ; Fri, 25 Mar 2011 12:02:13 +0000 (UTC) Received: from [66.170.231.116] (unknown [66.170.231.116]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: c1pher) by smtp.gentoo.org (Postfix) with ESMTPSA id DC0391B40F4 for ; Fri, 25 Mar 2011 12:02:12 +0000 (UTC) Message-ID: <4D8C83B5.5040600@gentoo.org> Date: Fri, 25 Mar 2011 07:59:49 -0400 From: Dane Smith User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110321 Thunderbird/3.1.9 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] rejecting unsigned commits References: <4D8C82B9.5070309@gentoo.org> In-Reply-To: <4D8C82B9.5070309@gentoo.org> X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: bdc24ba33036ef413e620dc94532e080 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/25/2011 07:55 AM, "Pawe=C5=82 Hajdan, Jr." wrote: > On 3/24/11 10:59 PM, Mike Frysinger wrote: >> is there any reason we should allow people to commit unsigned >> Manifest's anymore ? generating/posting/enabling a gpg key is >> ridiculously easy and there's really no excuse for a dev to not have >> done this already. >=20 > Firstly, I'm excited we're moving towards a signed portage tree. >=20 > We can start with a repoman warning (yellow) and a transition period. >=20 >> when i look at the tree, the signed stats are stupid low: >> $ find *-* -maxdepth 2 -name Manifest | wc -l >> 14438 >> $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP >> SIGNATURE' {} + | wc -l >> 6032 >=20 > If I'm interpreting the data correctly, about 43% of Manifest files are > signed. That's not too bad, I was expecting something more like 5%. >=20 > By the way, is it acceptable to use the same GPG key for e-mail and > signing packages? Yes. In fact, I'd recommend it. Saves having to try to keep track of 2 keys / dev. Having said that, for those that just use "keys" for e-mails (most of us), it would make more sense to use full blow SSL certs in the long run. (Mathematically, same thing. But a cert needs to be signed by a CA, and we should ideally maintain a Gentoo CA.) I need to get up to speed with the GLEP's pertaining to this. Let's just say I have a fair bit of experience in this field. I may be able to offer some ideas / suggestions. I would very much like to see this happen. But for the meantime, yes, it's safe. - --=20 Dane Smith (c1pher) Gentoo Linux Developer -- QA / Crypto / Sunrise / x86 RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=3D0x0C2E1531&op=3Dind= ex -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNjIO0AAoJEEsurZwMLhUxlsIP/2oaWnkWr160fj8027WA3Jbe oI5dXXvZr2RDMxFXKcyx0qiTfVlhVClJIBn8wANf41uKmMh6azIN5Ug4cDk++0ku qYXvIne4W65TCifU44h80AAOEVBLQwN+d2VCeq7/qu6qJp9PT1SIzCaZZCtRAvOK NwH5ZuUTrcewa/SbADIwP2hbQiLs8m241XJNNWGcIgflbO0OhcvUPlLM6/fUS56X 364EUGDo/TAAtkrIhWKKD2xsRoPmmO2uE7euPNhI4pFGUbKXVtb5Lb/qY9iLDgYy PciHr2yFwOY1P16hr51Dbo8b5rPAncIHJFBUBHd89OnZHCwkBUP1z7l1J13NfClw /hoYQe0DO/CrWz2pKF4I3pxP1MnULKKB2ib8RFswCJY2mxKvGeGJoQyZpT/GtCGb vN8o20Kd3Ci+CEpeIo3sqxt04kNoMvMLEq9ZJ++a8c0wijX63ChRL5/+qRxzGDtc I9pN34RDuAuUck0Wp+R/TTG4Bjh5ixQkeh199NoqjNLA02rE0QVElm7PlIJxg36/ pp101gH68H0t6EGAFrnGHAG6w/8yAz+Mcm+4WLjpDAPSMXYahZXOCKFn9WV0WgBS e0EG2xr8BD7SqUrZRSlxjGsbFVCVaGvS9qFO4e2B4dKPy1mjwcTdBQRGZOfd3kGM WDV73IcPr2K9cQFJD+Te =3DyiPl -----END PGP SIGNATURE-----