From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 17630 invoked from network); 8 Nov 2004 10:19:44 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 8 Nov 2004 10:19:44 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CR6ci-00035P-5D for arch-gentoo-security@lists.gentoo.org; Mon, 08 Nov 2004 10:19:44 +0000 Received: (qmail 12091 invoked by uid 89); 8 Nov 2004 10:19:22 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 22132 invoked from network); 8 Nov 2004 10:19:22 +0000 Date: Mon, 8 Nov 2004 10:19:21 +0000 From: Kurt Lieber To: gentoo-security@lists.gentoo.org Message-ID: <20041108101921.GV10927@mail.lieber.org> Mail-Followup-To: gentoo-security@lists.gentoo.org References: <418D310B.6050106@ahsoftware.de> <87sm7lvm17.fsf@peti.cryp.to> <20041107154046.GG10927@mail.lieber.org> <20041107120135.C9045@netdirect.ca> <20041107232655.GN10927@mail.lieber.org> <87zn1tqks5.fsf_-_@peti.cryp.to> <20041108001717.GO10927@mail.lieber.org> <87vfchqhex.fsf@peti.cryp.to> <20041108013129.GR10927@mail.lieber.org> <20041108091926.GA4342@eric.schwarzvogel.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u08a77unfWDSo9q0" Content-Disposition: inline In-Reply-To: <20041108091926.GA4342@eric.schwarzvogel.de> X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg User-Agent: Mutt/1.5.6i Subject: Re: [gentoo-security] Re: No, apparently not. (was: Is anybody else worried about this?) X-Archives-Salt: ab41b0f5-4c41-4e00-838c-4902aa4e9764 X-Archives-Hash: ce0dc03afffc54052d37c103c407d116 --u08a77unfWDSo9q0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 08, 2004 at 10:19:27AM +0100 or thereabouts, Tobias Klausmann w= rote: > > cat /usr/portage/sys-apps/portage/Manifest >=20 > This does not contain a GPG signature here. Of all packages... It did when I typed that message last night. Someone must have committed a new version of portage without signing things. I agree, portage should be signed. It's still a new process for us, so it will take time to get to 100%. > I've run a script across the entire tree, collecting 43 different > signature keys IDs from Manifest files in all (from a total of > 2074 signed Manifest files, making up about 1/4). Of those keys, > 16 were unavailable on the Subkeys Public Key Network (listed > below). Where can I get those? Good question -- I don't know. They should be available on pgp.mit.edu, but if they're not, then I'd suggest start filing bugs against those individual packages. (NOT portage bugs) --kurt --u08a77unfWDSo9q0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBj0gpJPpRNiftIEYRAnVDAJ9cMzTzDCELCZWZTkbbk3RYFXEwmwCgjrqd O0IxfSE12fsRUbA7/pj/V0w= =M9cr -----END PGP SIGNATURE----- --u08a77unfWDSo9q0--