* "Robin H. Johnson" <robb...@gentoo.org>: > The GLEP on Individual developer signing has not made it into a Draft > yet. > > But you can view the very brief version here: > http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security?view=markup
[...] > > 2. Every developer signs everything 100% of the time (make it a QA > > check). > +1 on this. In the GLEPs i missed the point where the signatures of Manifests are verified. Only the MetaManifest gets verified. So what's the advantage of individually signed Manifests? The only thing we can check: Is the key used for signing listed in ldap (and thus in "the keyring of automated Gentoo keys")? Are the keys in ldap really mine? Do I miss anything? BTW: About a third of the Manifests are signed [1]. We didn't improve since 2005/2006 [2]. The two parties are working hard against each other [3]. 55 Manifests are signed by revoked keys [4]. [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest.png [2] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/ratio_2005.png [3] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/Manifest2.png [4] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/signatures_by_revoked_keys.txt