[gentoo-security] update on signed snapshots

[gentoo-security] update on signed snapshots

[Kurt Lieber]

[-- Attachment #1: Type: text/plain, Size: 1187 bytes --]

For those who have expressed an interest in signed snapshots, here's an
update.

CURRENT STATUS
==============

The 2004.3 release stuff got me a bit side-tracked, but as of tomorrow, we
should have the first officially signed snapshot available on our mirrors.
For reference, the main mirror is here:

http://gentoo.osuosl.org/snapshots/

So if the files are there, then all is working correctly.

The GPG key ID is:  D8BA32AA

The fingerprint is: 8861 8228 9048 D40B 3C3B  ADDA 6DC2 26AA D8BA 32AA

It is currently available on (at least) pgp.mit.edu and keyserver.net.  I
haven't figured out a good place to post it on the web site, so I'm open to
suggestions.

NEXT STEPS
==========

Make sure the signatures are working as expected and that they don't cause
any other unforseen problems.

NEEDS TO BE DONE
================

So far, nobody has written a patch that will modify emerge-webrsync to
check these signatures.  For now, you will have to check things manually.
If/when someone does submit a patch, I will pass it along to the
emerge-webrsync maintainer.  There is also a chance that one of the devs
will make the changes as well, but no commitments have been made.


--kurt

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-security] Re: update on signed snapshots

[Chris Frey]

On Tue, Nov 16, 2004 at 05:16:27PM +0000, Kurt Lieber wrote:
> The 2004.3 release stuff got me a bit side-tracked, but as of tomorrow, we
> should have the first officially signed snapshot available on our mirrors.
> For reference, the main mirror is here:
> 
> http://gentoo.osuosl.org/snapshots/

Thanks!

> The GPG key ID is:  D8BA32AA
> 
> The fingerprint is: 8861 8228 9048 D40B 3C3B  ADDA 6DC2 26AA D8BA 32AA
> 
> It is currently available on (at least) pgp.mit.edu and keyserver.net.  I
> haven't figured out a good place to post it on the web site, so I'm open to
> suggestions.

When I look for keys on the website, I usually look under any "security"
oriented links, or under the "about" link.  I also look in any documents
describing the installation procedure, under "how to get XYZ software", etc.

Unfortunately, it usually takes me 15 minute or more to hunt down a key,
and sometimes I'm not successful.  The closer it is to the main page,
the better, in my opinion.

- Chris


--
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: update on signed snapshots

[Chris Frey]

On Tue, Nov 16, 2004 at 05:16:27PM +0000, Kurt Lieber wrote:
> So far, nobody has written a patch that will modify emerge-webrsync to
> check these signatures.  For now, you will have to check things manually.
> If/when someone does submit a patch, I will pass it along to the
> emerge-webrsync maintainer.  There is also a chance that one of the devs
> will make the changes as well, but no commitments have been made.

I'll post my patch here once I can test it to make sure it works.

- Chris


--
gentoo-security@gentoo.org mailing list