-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, 16 Jul 2015 23:06:03 -0400 NP-Hardass <np-hard...@gentoo.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 07/16/2015 09:25 PM, Brian Dolbec wrote: > > On Thu, 16 Jul 2015 21:13:09 -0400 NP-Hardass > > <np-hard...@gentoo.org> wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > > > >> Not sure if this has been covered in some of the rather long > >> chains of late, but I was thinking about GPG signing, and how the > >> proposed workflow requires every developer to sign their commits. > >> Currently, it's advised that every manifest be signed. As far as > >> I know, there are a number that are not. When a manifest is > >> signed, the author is saving a state, and providing a means to > >> check it has not changed. > > > >> Additionally, I feel that a signature is a means of acknowledging > >> that a package has been looked over, and that developer has > >> stated that they approve of the existing state. I'm not sure if > >> others agree with that sentiment, but if anyone does, my question > >> is, how does the conversion process to git handle these packages, > >> where the manifests are not signed. Is there an intention to > >> blanket cover all packages when we switch to git? Will these > >> packages be copied over directly and still maintain their > >> unsigned manifest (I think this is unlikely as I read that there > >> would be a switch to thin manifests, requiring regeneration)? If > >> the community doesn't view the signature of the manifest as I > >> just described, then a blanket signing would be fine. > > > >> Would appreciate your thoughts either way, as I could be > >> overthinking the issue :P > > > >> - -- NP-Hardass > > > > > > No, with the git working tree, we will switch to thin manifests and > > the entire commit will be signed. Not only that, but the push to > > the main server will also be signed (a push may contain commits > > signed by a different person that the person pushing). > > > > For the regular rsync tree, Full manifests will be regenerated as > > needed and signed by a common infra supplied gpg key. So for > > general users, it will be easy to verify without having all gentoo > > devs gpg keys. That will be different for users of the git tree. > > > > > > > > Ah ha. so, with thin manifests, we as devs don't sign the manifest, me > sign the commit. > Yes, you sign all changes made by that commit. In CVS this was not possible, so the best workaround was a 2 stage commit, where the initial changes were committed, then repoman updated and signed the new Manifest and committed that. > The infra key for the user facing tree makes sense. Thanks for > filling me in. So, will infra be using that key to do the initial > commit to the repo? I don't know tbh, most are already signed, with the git migration, the strongly recommended commit signing will become MANDATORY. So, we are at 50 devs with valid gpg keys now, with 200 more gpg keys listed in LDAP that fail to meet the new spec. PLEASE fix them or create new keys... > > Are there plans to the make the repo, w/ metadata and signed by infra, > available to end users as a rsync alternative? > Yes, there will be an anonymous git mirror/server for general consumption. But I believe there again, a user using it will have to get the gentoo-devs seed file and install those keys in order to validate it for themselves. - -- Brian Dolbec <dolsen> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1 iQJ8BAEBCgBmBQJVqIe1XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNUQ3Qzc0RTA4MUNDNzBEQjRBNEFBRjVG QkJEMDg3Mjc1ODIwRUQ4AAoJEPu9CHJ1gg7Y15QQAKl+8k3PJM6ZrToDqAH2o+Af 4O5FRAr48NVOL+AsA9/8pihiR0p7xZ0N35TJoCh3vkyfPj3sPfxvm3ZC46azVS7r HoLgRLYVEv8cZpZXBRi7tqi2XWSYxvGl2tqyF9N/k+Eur00s9zLOepgmxjmvDSjq J88qd/oi6KB0ufVGpl6HkcumPAY5uVw1yjJu5GO/UIWivkXdaHUAwNe2w0eE/TUv +8YmzkYhmKMAfOF3RFIxcjxtjh13hMrSWqAjxgMG+sH/4jWXi0PWRXNTU6fCTJXP oxKFyB/XyZObugOMrmDGXX4jnW5oJpj4P02xDyAbsQR/85EAygoxGEr1jvOXrPhN vX9XYrLaQ62Us6UM8bM8mv1W7gKn/NJSJoeoRpKDsAvUcJlUp4fcCUWc4F/AaE3a cDYM8uqDJcN571QlR07Rd28/TTX2BFfEclu/u9SznfMLeveET9CUa12LYiIKfKfx PnO301QRih0FqH/kvX9kAvpJWZeBmn8xdhZ4VyOeYNQFKuROiexswKTapHbuIJec eM1P0rZmh9AQfVaZhZJpKbvfRl6HyU6cTeHQJ9mvNzQV87MQuhmIyckJfCQONUZM SQJ95nlg69NJBLY5IHUYdC1A5k3neRhLvpErOFJZQzlVbAaFXfSPnuDKR/YiBbJ3 Benzg8eJp5Dpngyzr1Mz =4Hgt -----END PGP SIGNATURE-----
