On Sat, Oct 08, 2011 at 02:45:02PM -0700, "Paweł Hajdan, Jr." wrote: > I checked > <http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=5> > and the Handbook only mentions validating MD5 checksums. > > There are two possible issues: > > 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we > be using something stronger? Fixed in Catalyst now. http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe So when the stagebuilders update their Catalyst, they will be generated with newer hashes.
> 2. I noticed the checksums are signed (.asc files). With what key are > they signed? How is that key handled, and how to ensure people use the > right key when verifying the signature? Documented here: http://www.gentoo.org/proj/en/releng/ Relevant to this discussion: The weekly builds are signed with: key 2D182910 RSA 4096-bit, generated 2009/08/25 Gentoo Linux Release Engineering (Automated Weekly Release Key) <[email protected]> It's located in the pipeline that collects stages and isos for publication. The non-weekly releases (eg 11.2) have a separate key key 17072058, DSA 1024-bit, generated 2004/07/20 Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <[email protected]> -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : [email protected] GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
