On Fri, Jun 08, 2012 at 03:40:57PM +0200, Michael Weber wrote: > I'd suggest to generate an tarball (containing an keyring) to sign by > an master key (member of trustee/council/..) to be deployed on all > systems (like it's done on archlinux and debian). > > But the current vulnerability is exporting/importhing these keys to > pgp.mit.edu et al.
If you just want to check for valid signatures, you can blindly download the keys from a keyserver. If you want to verify that those signing keys belong to Gentoo devs, you'll need a web of trust, just like any other PGP situation. The problem is distributing the trust, not the distributing the keys [1]. If you want a central policy for trusting Gentoo devs, you've already got an authentication scheme set up to log into the Gentoo servers. If you trust that scheme, and trust those servers against privilege escalation and the like, then if a dev can log into the server and configure their preferred key fingerprint, that seems like a sufficiently rigorous proof for the Gentoo infra folks to conclude that the dev in question owns the key in question. The fact that the Gentoo infra folks might trust the dev's key enough to publish snapshots signed by that key has no bearing on whether I, as a non Gentoo dev who knows none of the infra folks, can trust the key. I've got to establish my own web of trust to make that happen, and it's not something that I expect Gentoo to help me with. [1]: http://www.gnupg.org/gph/en/manual.html#AEN533 http://www.gnupg.org/gph/en/manual.html#AEN554 -- This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
signature.asc
Description: OpenPGP digital signature
