From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RCgVE-0005EF-9a for garchives@archives.gentoo.org; Sat, 08 Oct 2011 23:40:24 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B9BAC21C08C; Sat, 8 Oct 2011 23:40:15 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 9EE0F21C022 for ; Sat, 8 Oct 2011 23:39:46 +0000 (UTC) Received: from Pawe-Hajdans-MacBook-Pro.local (adsl-75-36-171-60.dsl.pltn13.sbcglobal.net [75.36.171.60]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: phajdan.jr) by smtp.gentoo.org (Postfix) with ESMTPSA id DEFC91B4018 for ; Sat, 8 Oct 2011 23:39:45 +0000 (UTC) Message-ID: <4E90DF3C.8030307@gentoo.org> Date: Sat, 08 Oct 2011 16:39:40 -0700 From: =?UTF-8?B?IlBhd2XFgiBIYWpkYW4sIEpyLiI=?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] integrity of stage files References: <4E90C45E.7020203@gentoo.org> In-Reply-To: X-Enigmail-Version: 1.3.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig2A0757736CC1636EF97D8D78" X-Archives-Salt: X-Archives-Hash: 5f8fd5776b27d6950fb3ff86ad64cbf5 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2A0757736CC1636EF97D8D78 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 10/8/11 3:43 PM, Robin H. Johnson wrote: >> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we= >> be using something stronger? > Fixed in Catalyst now. > http://git.overlays.gentoo.org/gitweb/?p=3Dproj/catalyst.git;a=3Dcommit= ;h=3D42b4f6608682cf03954918ecce7923330a1656fe > So when the stagebuilders update their Catalyst, they will be generated= > with newer hashes. Thank you for a quick reaction, but maybe in one aspect it was too quick: tells people to use md5sum, and the patch above _removes_ md5 sum, which means the Handbook instructions now won't work. Suggested course of action: 1. Please re-add md5 sum. 2. File a bug to modify the handbook to verify sha sum instead. 3. Then remove the checksum. >> 2. I noticed the checksums are signed (.asc files). With what key are >> they signed? How is that key handled, and how to ensure people use the= >> right key when verifying the signature? > Documented here: > http://www.gentoo.org/proj/en/releng/ Ah, I just forgot about that page. Okay, so can we also update the Handbook to include GPG signature checking? --------------enig2A0757736CC1636EF97D8D78 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAk6Q30AACgkQuUQtlDBCeQI8YwCcDWilK1JjkDDD4npW9VciCZat iCYAnjM8ERDzL2q49kVhKl4upUibBbNL =74Dz -----END PGP SIGNATURE----- --------------enig2A0757736CC1636EF97D8D78--