-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 09/18/2015 10:58 AM, Justin (jlec) wrote: > Hello, > > there are quite a number of Manifest still not containing one or > more of the three hashes. I would like to update them as far as we > can download the sources. > > Procedure would be: 1. Download package 2. verify current hashes > match 3. Calculate new 4. commit > > Following question need to be answered first: > > Does anybody have any general objections, remarks or ideas on > that?
As long as the current hashes are verified for the download I'm fine with this, but I'd like to take the opportunity to bring up a general note with regards to manifest generation and OpenPGP verification of source files. Now that we're hopefully getting closer to a fully signed OpenPGP Gentoo Tree, it is also important that package maintainers pay attention to OpenPGP signatures when generating the initial manifest files e.g. on a version bump. This also brings up some interesting key management issues with regards to ensuring that the package is signed with the correct key. Of course, where the maintainer has met the developer and cross-signed the keys, this part is relatively easy, as the key will have full validity or can be easily verified by one hope distance. Where this becomes more difficult is of course where no direct certification has been made, leading into more probabilistic approaches to determining key validity. I would expect maintainers of a package following the mailing lists giving a high expectation of the key being correct, and as such keeping a local copy of the keys used for distribution with a local signature (lsign in GnuPG's edit-key interface) marking this key as valid. We currently don't (well, I don't at least) store information about the file verification in the git commit messages, and I'm not sure if this is something that would be valuable exceeding the cost of the added message and finding a format to do so. But given that we're talking about the manifests, I do sincerely hope package maintainers have a well thought out setup for key management locally and in fact verify the OpenPGP signatures vs known good keys, and that appropriate measures are being taken in the case of non-maintainer commits that doesn't reduce the level of security. - -- Kristian Fiskerstrand Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJV+9Z8AAoJECULev7WN52FgucH/jN6bwIe/AJuv6y2VkVC7gT2 pdtZY4hEv2TlVJUcGKgMfk5BWD2vm0vBdOCTwyPMgNXf+fnXv70507RmReecRiyB ouVgacu1nQYMCG2urvuQckXPdGfycbgk0ESe+XcKbRnOmmJ2a4ZVKENXk0TbA38Y hJ/c2boxpJiVZHF6JSPwfXBrC0j6GpRsLnce/vKybH0uDye4/7Q1Hw9R76KQDATd DB+hcAsQfonj7rDy4FoKviuiSiZmbHam0yCQGiBaR2fqQOc+erSJ29Hy+MLkdCCa Zy36sUv299u71J/9LYXuQBpeULV0XQ82ERz1VuJ6SV4YPYRtroqoKmnasA77Prw= =bV4C -----END PGP SIGNATURE-----