> <pedant>OpenPGP (GPG is just one implementation)</pedant>, but indeed, > that is what the gentoo-keys project is about. There is experimental > support for OpenPGP verification in portage already using gkeys. > Currently the focus is on getting developer's keys up to GLEP63 specs, > i currently see 36 good Gentoo developer keys. The scheme is also > flexible enough to allow for overlays. > > > https is not a good protection against MITM when factoring in global > PKIX CA setup, nor would it protect with regards to server compromise. > So the only viable way to secure ebuild repositories is proper OpenPGP > usage.
I'd double that pedant paranoid! :) -- Best regards, mva
signature.asc
Description: This is a digitally signed message part.
