-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/25/2011 07:55 AM, "Paweł Hajdan, Jr." wrote:
> On 3/24/11 10:59 PM, Mike Frysinger wrote:
>> is there any reason we should allow people to commit unsigned
>> Manifest's anymore ? generating/posting/enabling a gpg key is
>> ridiculously easy and there's really no excuse for a dev to not have
>> done this already.
>
> Firstly, I'm excited we're moving towards a signed portage tree.
>
> We can start with a repoman warning (yellow) and a transition period.
>
>> when i look at the tree, the signed stats are stupid low:
>> $ find *-* -maxdepth 2 -name Manifest | wc -l
>> 14438
>> $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP
>> SIGNATURE' {} + | wc -l
>> 6032
>
> If I'm interpreting the data correctly, about 43% of Manifest files are
> signed. That's not too bad, I was expecting something more like 5%.
>
> By the way, is it acceptable to use the same GPG key for e-mail and
> signing packages?
Yes. In fact, I'd recommend it. Saves having to try to keep track of 2
keys / dev.
Having said that, for those that just use "keys" for e-mails (most of
us), it would make more sense to use full blow SSL certs in the long run.
(Mathematically, same thing. But a cert needs to be signed by a CA, and
we should ideally maintain a Gentoo CA.) I need to get up to speed with
the GLEP's pertaining to this. Let's just say I have a fair bit of
experience in this field. I may be able to offer some ideas /
suggestions. I would very much like to see this happen.
But for the meantime, yes, it's safe.
- --
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNjIO0AAoJEEsurZwMLhUxlsIP/2oaWnkWr160fj8027WA3Jbe
oI5dXXvZr2RDMxFXKcyx0qiTfVlhVClJIBn8wANf41uKmMh6azIN5Ug4cDk++0ku
qYXvIne4W65TCifU44h80AAOEVBLQwN+d2VCeq7/qu6qJp9PT1SIzCaZZCtRAvOK
NwH5ZuUTrcewa/SbADIwP2hbQiLs8m241XJNNWGcIgflbO0OhcvUPlLM6/fUS56X
364EUGDo/TAAtkrIhWKKD2xsRoPmmO2uE7euPNhI4pFGUbKXVtb5Lb/qY9iLDgYy
PciHr2yFwOY1P16hr51Dbo8b5rPAncIHJFBUBHd89OnZHCwkBUP1z7l1J13NfClw
/hoYQe0DO/CrWz2pKF4I3pxP1MnULKKB2ib8RFswCJY2mxKvGeGJoQyZpT/GtCGb
vN8o20Kd3Ci+CEpeIo3sqxt04kNoMvMLEq9ZJ++a8c0wijX63ChRL5/+qRxzGDtc
I9pN34RDuAuUck0Wp+R/TTG4Bjh5ixQkeh199NoqjNLA02rE0QVElm7PlIJxg36/
pp101gH68H0t6EGAFrnGHAG6w/8yAz+Mcm+4WLjpDAPSMXYahZXOCKFn9WV0WgBS
e0EG2xr8BD7SqUrZRSlxjGsbFVCVaGvS9qFO4e2B4dKPy1mjwcTdBQRGZOfd3kGM
WDV73IcPr2K9cQFJD+Te
=yiPl
-----END PGP SIGNATURE-----
