From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SczT3-0003YI-5I for garchives@archives.gentoo.org; Fri, 08 Jun 2012 13:43:09 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 139A9E07A1; Fri, 8 Jun 2012 13:42:56 +0000 (UTC) Received: from spot.xmw.de (spot.xmw.de [176.9.87.236]) by pigeon.gentoo.org (Postfix) with ESMTP id 86378E0777 for ; Fri, 8 Jun 2012 13:41:32 +0000 (UTC) Received: from [IPv6:2001:4ca0:0:f230:221:5cff:fe97:1a8f] (unknown [IPv6:2001:4ca0:0:f230:221:5cff:fe97:1a8f]) by spot.xmw.de (Postfix) with ESMTPSA id 1BCFF210EA28E for ; Fri, 8 Jun 2012 15:40:06 +0200 (CEST) Message-ID: <4FD200E9.90907@gentoo.org> Date: Fri, 08 Jun 2012 15:40:57 +0200 From: Michael Weber User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120529 Thunderbird/12.0.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing References: <20120604191000.GA3692@localhost> <20120604204132.GB3692@localhost> <20120608110155.GA15249@odin.tremily.us> In-Reply-To: X-Enigmail-Version: 1.5pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 4733c822-5bf0-4330-8caa-75dbca42ebd8 X-Archives-Hash: ea2af8a1724a32d7e55126954168b232 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 06/08/2012 01:36 PM, Rich Freeman wrote: > I doubt any dev checks the signatures on manifest files before > they overwrite them with a new signature. If they did it wouldn't > matter since those signatures aren't even mandatory anyway. > Certainly it isn't intuitive to me that when I perform a signature > on changes I make that I'm also vouching for work committed by > somebody else before me. I'm trying to do this, but first we need an keyring with all dev gpg keys - securely distributed - to verify the signatures. We (amost all) have gentoogpg key-ids in ldap, most have fingerprints in gentoofingerprint in ldap, but we have to download these keys from public keyservers. And its not mandatory to either sign at all or sign with keys mentioned in ldap. Someone pointed me on tove's list of gpg keys used for signing [1]. I'd suggest to generate an tarball (containing an keyring) to sign by an master key (member of trustee/council/..) to be deployed on all systems (like it's done on archlinux and debian). But the current vulnerability is exporting/importhing these keys to pgp.mit.edu et al. Suggestions? Michael [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/keys_in_use.txt - -- Gentoo Dev http://xmw.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk/SAOkACgkQknrdDGLu8JBWywD/e4kT9jUt3CFFMZgMla14zdwT dmZZs4R5to9CikKAFqwA/1dcXV9/8H/qrW0q8yO7pEIdCdr8RD2d0mochceEeyxd =+k9D -----END PGP SIGNATURE-----