From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C78EA1384B4 for ; Sun, 13 Dec 2015 19:05:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EEB2521C0A4; Sun, 13 Dec 2015 19:05:35 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1780521C00F for ; Sun, 13 Dec 2015 19:05:33 +0000 (UTC) Received: from [192.168.178.23] (ip5f5af621.dynamic.kabel-deutschland.de [95.90.246.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: patrick) by smtp.gentoo.org (Postfix) with ESMTPSA id 2C90B3408EE for ; Sun, 13 Dec 2015 19:05:30 +0000 (UTC) Subject: Re: [gentoo-dev] repo/gentoo.git, or how committing is challenging To: gentoo-dev@lists.gentoo.org References: <566DACB3.2010105@gentoo.org> <566DAD2F.1010100@gentoo.org> <20151213215039.fdbaec6a7d5248e82fb882ac@gentoo.org> From: Patrick Lauer Message-ID: <566DC15E.6010002@gentoo.org> Date: Sun, 13 Dec 2015 20:05:02 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <20151213215039.fdbaec6a7d5248e82fb882ac@gentoo.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Archives-Salt: bde273e4-624f-411d-af32-28809667788b X-Archives-Hash: ad4049cbec02107c36443f32e37d3efd On 12/13/2015 07:50 PM, Andrew Savchenko wrote: > Hi, > > On Sun, 13 Dec 2015 18:38:55 +0100 Patrick Lauer wrote: >> On 12/13/2015 06:36 PM, Patrick Lauer wrote: >>> So apparently we're signing things with gpg now >> And a related question: >> >> How would I actually verify the signatures in a meaningful way? > git log --show-signature does this using GnuPG. That's not very automated or effective. I'd assume 'emerge' has such functionality included ...? > > Of course, in order to gpg to work one have to mark dev keys as > trusted, they can be verified using ldap or several public > keyservers. LDAP is more reliable, of course, but this method works > only for devs (and probably some stuff members) having an access > here. That's what the app-crypt/gkeys thing is for, as far as I can tell.