I'm merging in Michał's reply from the related "[gentoo-portage-dev] [PATCH] [sync] Increase the default git sync-depth to 10" thread.
On 10/30/2016 02:58 PM, Zac Medico wrote: > On 10/30/2016 01:44 PM, Michał Górny wrote: >> Hi, everyone. >> >> Just a quick note: I've prepared a simple tool [1] to verify clones of >> gentoo-mirror repositories. It's still early WiP but can be easily used >> to verify a clone: >> >> $ ./verify-repo gentoo >> [/var/db/repos/gentoo] >> Untrusted signature on 42ccdf48d718287e981c00f25caea2242262906a >> (you may need to import/trust developer keys) >> Note: unsigned changes in metadata and/or caches found (it's fine) > > I don't think it's acceptable to use an unsigned metadata/cache commit. > Can't we use an infrastructure key for this? On 10/30/2016 03:03 PM, Michał Górny wrote: > I've even written a blog post [1] about that. Long story short, > trusting some random key used by automated process running on remote > server with no real security is insane. I've made a script that > verifies underlying repo commit instead, and diffs for metadata > changes. > > [1]:https://blogs.gentoo.org/mgorny/2016/04/15/why-automated-gentoo-mirror-commits-are-not-signed-and-how-to-verify-them-2/ An automated signature may not have the same degree of trust as a manually generated signature, but that does not make it completely worthless (is https worthless too?). -- Thanks, Zac
