From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-48013-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RCeiY-0005TW-Io
	for garchives@archives.gentoo.org; Sat, 08 Oct 2011 21:46:02 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E909A21C0BD;
	Sat,  8 Oct 2011 21:45:50 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id A6D5E21C053
	for <gentoo-dev@lists.gentoo.org>; Sat,  8 Oct 2011 21:45:11 +0000 (UTC)
Received: from Pawe-Hajdans-MacBook-Pro.local (adsl-75-36-171-60.dsl.pltn13.sbcglobal.net [75.36.171.60])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: phajdan.jr)
	by smtp.gentoo.org (Postfix) with ESMTPSA id ED51D1B404E
	for <gentoo-dev@lists.gentoo.org>; Sat,  8 Oct 2011 21:45:10 +0000 (UTC)
Message-ID: <4E90C45E.7020203@gentoo.org>
Date: Sat, 08 Oct 2011 14:45:02 -0700
From: =?UTF-8?B?IlBhd2XFgiBIYWpkYW4sIEpyLiI=?= <phajdan.jr@gentoo.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] integrity of stage files
X-Enigmail-Version: 1.3.2
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigCF923722E9C3F6F6DC8194AF"
X-Archives-Salt: 
X-Archives-Hash: 660d1acfb26bf23ea9b42451d1864286

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigCF923722E9C3F6F6DC8194AF
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I checked
<http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=3D1&chap=3D5=
>
and the Handbook only mentions validating MD5 checksums.

There are two possible issues:

1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we
be using something stronger?

2. I noticed the checksums are signed (.asc files). With what key are
they signed? How is that key handled, and how to ensure people use the
right key when verifying the signature?

Pawe=C5=82


--------------enigCF923722E9C3F6F6DC8194AF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

iEYEARECAAYFAk6QxGUACgkQuUQtlDBCeQKnuwCeI0CTMH0iC372wJX+x2ow8Xkb
CMIAnReNYns+gkyLWUxu/769zGx6G5eH
=7q0H
-----END PGP SIGNATURE-----

--------------enigCF923722E9C3F6F6DC8194AF--