On Sat, May 20, 2006 at 06:54:44AM -0400, Peter wrote:
> On Thu, 18 May 2006 23:45:17 +0200, Patrick Lauer wrote:
>
> >The problem, in short, is how to handle the checksumming and signing of
> >gentoo-provided files so that manipulation by external entities becomes
> >difficult.
> all snip...
>
>
On 20/05/06, Peter <[EMAIL PROTECTED]> wrote:
PMFJI, but as a user, not a security expert, I had a few thoughts that I'd
like to throw in. Thanks to Patrick, he helped me to drill down some of
the ideas and I present them for consideration. It's just a framework, so
I will be brief
Thanks for y
On Thu, 18 May 2006 23:45:17 +0200, Patrick Lauer wrote:
>The problem, in short, is how to handle the checksumming and signing of
>gentoo-provided files so that manipulation by external entities becomes
>difficult.
all snip...
PMFJI, but as a user, not a security expert, I had a few thoughts tha
Marius Mauch wrote:
> On Fri, 19 May 2006 12:28:04 -0400
> Peter <[EMAIL PROTECTED]> wrote:
>
>> Who signs the Manifests? Why are some unsigned? Is there a single
>> Gentoo Security Key (like I know Slackware has and some other distros
>> to ensure the authenticity of their files)?
>
> Because th
On Fri, 19 May 2006 12:28:04 -0400
Peter <[EMAIL PROTECTED]> wrote:
> Who signs the Manifests? Why are some unsigned? Is there a single
> Gentoo Security Key (like I know Slackware has and some other distros
> to ensure the authenticity of their files)?
Because the whole signing stuff isn't offic
On Fri, 19 May 2006 12:28:04 -0400
Peter <[EMAIL PROTECTED]> wrote:
> Who signs the Manifests?
The dev who commits it.
> Why are some unsigned?
Because some devs don't sign Manifests.
> Is there a single
> Gentoo Security Key (like I know Slackware has and some other distros
> to ensure the au
On 19/05/06, Peter <[EMAIL PROTECTED]> wrote:
Who signs the Manifests? Why are some unsigned? Is there a single Gentoo
Security Key (like I know Slackware has and some other distros to ensure
the authenticity of their files)?
Individual developers sign the manifests with their own gpg keys. Som
On Thu, 18 May 2006 23:45:17 +0200, Patrick Lauer wrote:
> Hello all,
snip...
I have a question about package Manifests. On reviewing portage, some
Manifests are signed by various GPG keys, and others are not signed at all!
I submitted something to Patrick off list (largely because I'm not a de
