Re: [gentoo-dev] Git, GPG Signing, and Manifests

On Fri, Jul 17, 2015 at 12:42 AM, Brian Dolbec dol...@gentoo.org wrote: I don't know tbh, most are already signed, with the git migration, the strongly recommended commit signing will become MANDATORY. So, we are at 50 devs with valid gpg keys now, with 200 more gpg keys listed in LDAP that

Re: [gentoo-dev] Git, GPG Signing, and Manifests

On 17 July 2015 at 15:36, Rich Freeman ri...@gentoo.org wrote: On Fri, Jul 17, 2015 at 12:42 AM, Brian Dolbec dol...@gentoo.org wrote: I don't know tbh, most are already signed, with the git migration, the strongly recommended commit signing will become MANDATORY. So, we are at 50 devs with

Re: [gentoo-dev] Git, GPG Signing, and Manifests

On Fri, Jul 17, 2015 at 8:36 AM, Rich Freeman ri...@gentoo.org wrote: On Fri, Jul 17, 2015 at 12:42 AM, Brian Dolbec dol...@gentoo.org wrote: I don't know tbh, most are already signed, with the git migration, the strongly recommended commit signing will become MANDATORY. So, we are at 50

Re: [gentoo-dev] Git, GPG Signing, and Manifests

On Fri, 17 Jul 2015 08:36:25 -0400 Rich Freeman ri...@gentoo.org wrote: On Fri, Jul 17, 2015 at 12:42 AM, Brian Dolbec dol...@gentoo.org wrote: I don't know tbh, most are already signed, with the git migration, the strongly recommended commit signing will become MANDATORY. So, we are

Re: [gentoo-dev] Git, GPG Signing, and Manifests

On Fri, 17 Jul 2015 08:50:43 -0400 Rich Freeman ri...@gentoo.org wrote: On Fri, Jul 17, 2015 at 8:36 AM, Rich Freeman ri...@gentoo.org wrote: On Fri, Jul 17, 2015 at 12:42 AM, Brian Dolbec dol...@gentoo.org wrote: I don't know tbh, most are already signed, with the git migration, the

OpenPGP verification (was Re: [gentoo-dev] Git, GPG Signing, and Manifests)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 07/17/2015 03:13 AM, NP-Hardass wrote: Additionally, I feel that a signature is a means of acknowledging that a package has been looked over, and that developer has stated that they approve of the existing state. I'm not sure if others

Verification of installed packages (was Re: OpenPGP verification (was Re: [gentoo-dev] Git, GPG Signing, and Manifests))

Hi, On Fri, 17 Jul 2015 10:18:14 +0200 Kristian Fiskerstrand wrote: Additionally, I feel that a signature is a means of acknowledging that a package has been looked over, and that developer has stated that they approve of the existing state. I'm not sure if others agree with that

Re: OpenPGP verification (was Re: [gentoo-dev] Git, GPG Signing, and Manifests)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 07/17/2015 11:48 AM, hasufell wrote: On 07/17/2015 10:18 AM, Kristian Fiskerstrand wrote: On 07/17/2015 03:13 AM, NP-Hardass wrote: Additionally, I feel that a signature is a means of acknowledging that a package has been looked over, and

Re: OpenPGP verification (was Re: [gentoo-dev] Git, GPG Signing, and Manifests)

On 07/17/2015 10:18 AM, Kristian Fiskerstrand wrote: On 07/17/2015 03:13 AM, NP-Hardass wrote: Additionally, I feel that a signature is a means of acknowledging that a package has been looked over, and that developer has stated that they approve of the existing state. I'm not sure if others

Re: Verification of installed packages (was Re: OpenPGP verification (was Re: [gentoo-dev] Git, GPG Signing, and Manifests))

On 17 July 2015 at 22:34, Andrew Savchenko birc...@gentoo.org wrote: 2. Add an optional feature to emerge (or even to PMS?) allowing user to provide a usable GPG key for signing packages CONTENTS files after its generation. In order for such key to be usable during emerge run, gpg-agent should

Re: [gentoo-dev] Git, GPG Signing, and Manifests

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/16/2015 09:25 PM, Kent Fredric wrote: On 17 July 2015 at 13:13, NP-Hardass np-hard...@gentoo.org wrote: Additionally, I feel that a signature is a means of acknowledging that a package has been looked over, and that developer has stated

Re: [gentoo-dev] Git, GPG Signing, and Manifests

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, 16 Jul 2015 23:06:03 -0400 NP-Hardass np-hard...@gentoo.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/16/2015 09:25 PM, Brian Dolbec wrote: On Thu, 16 Jul 2015 21:13:09 -0400 NP-Hardass np-hard...@gentoo.org

Re: [gentoo-dev] Git, GPG Signing, and Manifests

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/16/2015 09:25 PM, Brian Dolbec wrote: On Thu, 16 Jul 2015 21:13:09 -0400 NP-Hardass np-hard...@gentoo.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Not sure if this has been covered in some of the rather long chains of

Re: [gentoo-dev] Git, GPG Signing, and Manifests

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, 16 Jul 2015 21:13:09 -0400 NP-Hardass np-hard...@gentoo.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Not sure if this has been covered in some of the rather long chains of late, but I was thinking about GPG signing, and

Re: [gentoo-dev] Git, GPG Signing, and Manifests

On 17 July 2015 at 13:13, NP-Hardass np-hard...@gentoo.org wrote: Additionally, I feel that a signature is a means of acknowledging that a package has been looked over, and that developer has stated that they approve of the existing state That much is somewhat implied by a developer owning a

[gentoo-dev] Git, GPG Signing, and Manifests

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Not sure if this has been covered in some of the rather long chains of late, but I was thinking about GPG signing, and how the proposed workflow requires every developer to sign their commits. Currently, it's advised that every manifest be signed.