On Thu, 18 May 2006 23:45:17 +0200, Patrick Lauer wrote: > Hello all,
snip... I have a question about package Manifests. On reviewing portage, some Manifests are signed by various GPG keys, and others are not signed at all! I submitted something to Patrick off list (largely because I'm not a dev, nor a great security expert) which uses a hash of all Manifest files as a basis for portage validation. However, the signing of the Manifest files themselves are inconsistent which poses a few problems. Who signs the Manifests? Why are some unsigned? Is there a single Gentoo Security Key (like I know Slackware has and some other distros to ensure the authenticity of their files)? TIA -- Peter -- [email protected] mailing list
