On 10/30/2016 03:03 PM, Michał Górny wrote: > On Sun, 30 Oct 2016 14:44:26 -0700 > Zac Medico <zmed...@gentoo.org> wrote: > >> On 10/30/2016 02:34 PM, Michał Górny wrote: >>> +The default depth of 10 was chosen as a compromise between space >>> +and bandwidth savings, and maintaining a history of recent commits. >>> +It is especially important for gentoo-mirror repositories where the most >>> +recent commits are automated and unsigned, and it is necessary to >>> +rewind the history to the newest signed commit for OpenPGP verification. >> >> Shouldn't people feel uneasy about the last commit being unverifiable? I >> would think that that last commit should be signed with an >> infrastructure key. > > I've even written a blog post [1] about that. Long story short, > trusting some random key used by automated process running on remote > server with no real security is insane. I've made a script that > verifies underlying repo commit instead, and diffs for metadata > changes. > > [1]:https://blogs.gentoo.org/mgorny/2016/04/15/why-automated-gentoo-mirror-commits-are-not-signed-and-how-to-verify-them-2/
An automated signature may not have the same degree of trust as a manually generated signature, but that does not make it completely worthless (is https worthless too?). For greater visibility, let's continue this discussion in the "[gentoo-dev] OpenPGP verification for gentoo-mirror repos" thread. -- Thanks, Zac
