From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26740 invoked from network); 7 Nov 2004 17:05:23 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 7 Nov 2004 17:05:23 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CQqTj-00042v-Ki for arch-gentoo-security@lists.gentoo.org; Sun, 07 Nov 2004 17:05:23 +0000 Received: (qmail 12503 invoked by uid 89); 7 Nov 2004 17:04:33 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 7871 invoked from network); 7 Nov 2004 17:04:33 +0000 Message-ID: <418E559D.1090104@mega.ist.utl.pt> Date: Sun, 07 Nov 2004 17:04:29 +0000 From: Rui Covelo Organization: Instituto Superior =?ISO-8859-1?Q?T=E9cnico?= User-Agent: Mozilla Thunderbird 0.8 (X11/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Chris Frey CC: gentoo-security@lists.gentoo.org References: <418D310B.6050106@ahsoftware.de> <87sm7lvm17.fsf@peti.cryp.to> <20041107154034.242838cb.Ballarin.Marc@gmx.de> <87hdo1u1a3.fsf@peti.cryp.to> <418E4311.6070105@mega.ist.utl.pt> <20041107114445.B9045@netdirect.ca> In-Reply-To: <20041107114445.B9045@netdirect.ca> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 07 Nov 2004 17:04:32.0092 (UTC) FILETIME=[D9A319C0:01C4C4EB] Subject: Re: [gentoo-security] Re: Re: Is anybody else worried about this? X-Archives-Salt: 0b047b50-559d-4a8b-bb28-35559c93a712 X-Archives-Hash: 562b4cb9aaf7857f0c043f465aa409ae -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | So is the solution. It was posted a few messages back. We just need some | admin to drop a find script on the main server and setup the required | keys. Once the signatures are there, anyone can write the userland script | to do the verification, but until then, there's no point to write it since | the server implementation is not known. | | - Chris Read Peter's message moments after sending mine. I like Peter's idea. But the question is still, where to keep the public key and private key. Yes, maybe it's better to trust the developers than any mirror admin. Adding to what Peter said, what about having the public and private key changed periodicaly (developers come and go, keys should come and go too) and have the portage download automaticaly the public key and revokation certificates when needed from a single server? Ex: www.gentoo.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBjlWbfLPhlaxNQk0RAqfZAJsGaLid/8BzfXhQVbsNlLDKgfaUbQCggsW7 kc2rYAq3W0CdOCTgDYcQ0jQ= =GziW -----END PGP SIGNATURE----- -- gentoo-security@gentoo.org mailing list