On Sun, 30 Oct 2016 15:36:16 -0700 Zac Medico <[email protected]> wrote:
> I'm merging in Michał's reply from the related "[gentoo-portage-dev] > [PATCH] [sync] Increase the default git sync-depth to 10" thread. > > On 10/30/2016 02:58 PM, Zac Medico wrote: > > On 10/30/2016 01:44 PM, Michał Górny wrote: > >> Hi, everyone. > >> > >> Just a quick note: I've prepared a simple tool [1] to verify clones of > >> gentoo-mirror repositories. It's still early WiP but can be easily used > >> to verify a clone: > >> > >> $ ./verify-repo gentoo > >> [/var/db/repos/gentoo] > >> Untrusted signature on 42ccdf48d718287e981c00f25caea2242262906a > >> (you may need to import/trust developer keys) > >> Note: unsigned changes in metadata and/or caches found (it's fine) > > > > I don't think it's acceptable to use an unsigned metadata/cache commit. > > Can't we use an infrastructure key for this? > > On 10/30/2016 03:03 PM, Michał Górny wrote: > > I've even written a blog post [1] about that. Long story short, > > trusting some random key used by automated process running on remote > > server with no real security is insane. I've made a script that > > verifies underlying repo commit instead, and diffs for metadata > > changes. > > > > > [1]:https://blogs.gentoo.org/mgorny/2016/04/15/why-automated-gentoo-mirror-commits-are-not-signed-and-how-to-verify-them-2/ > > An automated signature may not have the same degree of trust as a > manually generated signature, but that does not make it completely > worthless (is https worthless too?). I disagree. We don't have any good way of expressing this degree of trust. Therefore, the user will commonly presume both are of the same degree of trust. -- Best regards, Michał Górny <http://dev.gentoo.org/~mgorny/>
pgpBc2B8cih0g.pgp
Description: OpenPGP digital signature
