Rich Freeman <ri...@gentoo.org> wrote: > On Sat, Jul 7, 2018 at 1:51 AM Martin Vaeth <mar...@mvath.de> wrote: >> Davyd McColl <dav...@gmail.com> wrote: >> >> > I ask because prior to the GitHub incident, I didn't have signature >> > verification enabled >> >> Currently, it is not practical to change this, see my other posting. > > You clearly don't understand what it actually checks.
Davyd and I were obviously speaking about the gentoo repository (the official one and the one on github which got hacked). For these repositories verification is practically not possible. (That there are also *other* repositories - with huge metadata history - which might be easier to verify is a different story). Perversely, the official comments after the hack had suggested that you should have enabled signature verification for the hacked repository which was simply practically not possible.
