On 10/30/2016 03:32 PM, Michał Górny wrote: > On Sun, 30 Oct 2016 14:58:59 -0700 > Zac Medico <zmed...@gentoo.org> wrote: > >> On 10/30/2016 01:44 PM, Michał Górny wrote: >>> Hi, everyone. >>> >>> Just a quick note: I've prepared a simple tool [1] to verify clones of >>> gentoo-mirror repositories. It's still early WiP but can be easily used >>> to verify a clone: >>> >>> $ ./verify-repo gentoo >>> [/var/db/repos/gentoo] >>> Untrusted signature on 42ccdf48d718287e981c00f25caea2242262906a >>> (you may need to import/trust developer keys) >>> Note: unsigned changes in metadata and/or caches found (it's fine) >> >> I don't think it's acceptable to use an unsigned metadata/cache commit. >> Can't we use an infrastructure key for this? > > How are you going to guarantee that a third-party didn't access > the remote server and alter the filesystem just before the commit? Not > to mention the pains of keeping the key secure. > > It's better not to sign that to provide false security.
There's no absolute guarantee that the developer's key hasn't been compromised either. So we've got varying degrees of trust. An automated infrastructure signature may not have as much trust as a developer signature, but it's still better than nothing, for the same reason that publishing these key fingerprints via https is better than http: https://wiki.gentoo.org/wiki/Project:RelEng#Keys -- Thanks, Zac
