Mailing List Archive

update on signed snapshots
For those who have expressed an interest in signed snapshots, here's an
update.

CURRENT STATUS
==============

The 2004.3 release stuff got me a bit side-tracked, but as of tomorrow, we
should have the first officially signed snapshot available on our mirrors.
For reference, the main mirror is here:

http://gentoo.osuosl.org/snapshots/

So if the files are there, then all is working correctly.

The GPG key ID is: D8BA32AA

The fingerprint is: 8861 8228 9048 D40B 3C3B ADDA 6DC2 26AA D8BA 32AA

It is currently available on (at least) pgp.mit.edu and keyserver.net. I
haven't figured out a good place to post it on the web site, so I'm open to
suggestions.

NEXT STEPS
==========

Make sure the signatures are working as expected and that they don't cause
any other unforseen problems.

NEEDS TO BE DONE
================

So far, nobody has written a patch that will modify emerge-webrsync to
check these signatures. For now, you will have to check things manually.
If/when someone does submit a patch, I will pass it along to the
emerge-webrsync maintainer. There is also a chance that one of the devs
will make the changes as well, but no commitments have been made.


--kurt
Re: update on signed snapshots [ In reply to ]
On Tue, Nov 16, 2004 at 05:16:27PM +0000, Kurt Lieber wrote:
> The 2004.3 release stuff got me a bit side-tracked, but as of tomorrow, we
> should have the first officially signed snapshot available on our mirrors.
> For reference, the main mirror is here:
>
> http://gentoo.osuosl.org/snapshots/

Thanks!

> The GPG key ID is: D8BA32AA
>
> The fingerprint is: 8861 8228 9048 D40B 3C3B ADDA 6DC2 26AA D8BA 32AA
>
> It is currently available on (at least) pgp.mit.edu and keyserver.net. I
> haven't figured out a good place to post it on the web site, so I'm open to
> suggestions.

When I look for keys on the website, I usually look under any "security"
oriented links, or under the "about" link. I also look in any documents
describing the installation procedure, under "how to get XYZ software", etc.

Unfortunately, it usually takes me 15 minute or more to hunt down a key,
and sometimes I'm not successful. The closer it is to the main page,
the better, in my opinion.

- Chris


--
gentoo-security@gentoo.org mailing list
Re: update on signed snapshots [ In reply to ]
On Tue, Nov 16, 2004 at 05:16:27PM +0000, Kurt Lieber wrote:
> So far, nobody has written a patch that will modify emerge-webrsync to
> check these signatures. For now, you will have to check things manually.
> If/when someone does submit a patch, I will pass it along to the
> emerge-webrsync maintainer. There is also a chance that one of the devs
> will make the changes as well, but no commitments have been made.

I'll post my patch here once I can test it to make sure it works.

- Chris


--
gentoo-security@gentoo.org mailing list