-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 06/08/2012 01:36 PM, Rich Freeman wrote:
> I doubt any dev checks the signatures on manifest files before > they overwrite them with a new signature. If they did it wouldn't > matter since those signatures aren't even mandatory anyway. > Certainly it isn't intuitive to me that when I perform a signature > on changes I make that I'm also vouching for work committed by > somebody else before me. I'm trying to do this, but first we need an keyring with all dev gpg keys - securely distributed - to verify the signatures. We (amost all) have gentoogpg key-ids in ldap, most have fingerprints in gentoofingerprint in ldap, but we have to download these keys from public keyservers. And its not mandatory to either sign at all or sign with keys mentioned in ldap. Someone pointed me on tove's list of gpg keys used for signing [1]. I'd suggest to generate an tarball (containing an keyring) to sign by an master key (member of trustee/council/..) to be deployed on all systems (like it's done on archlinux and debian). But the current vulnerability is exporting/importhing these keys to pgp.mit.edu et al. Suggestions? Michael [1] http://dev.gentoo.org/~tove/stats/gentoo-x86/Manifest/keys_in_use.txt - -- Gentoo Dev http://xmw.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk/SAOkACgkQknrdDGLu8JBWywD/e4kT9jUt3CFFMZgMla14zdwT dmZZs4R5to9CikKAFqwA/1dcXV9/8H/qrW0q8yO7pEIdCdr8RD2d0mochceEeyxd =+k9D -----END PGP SIGNATURE-----
