(Yes i realize the irony of not attaching my own) [1] So crux 3.3 is approaching and with that release we will introduce signify[2] as a way to do checksum and signing. To start with, core, opt and xorg will be signed. And to allow all these ports to be signed, we must distribute the private key to all maintainers. As this key should be well protected we must distribute this securely. So please reply and attach your public keys if you maintain ports in either opt or xorg! The 3.3 branch of core is already signed and you can take a look here: https://crux.nu/gitweb/?p=ports/core.git;a=shortlog;h=refs/heads/3.3 [1] Email sent from work! I'll reply to this email with my pub key later. [2] https://crux.nu/Wiki/SignedPorts -- Meddelandet har kontrollerats mot virus samt skadligt inneh�ll av MailScanner och f�rmodas vara s�kert.
[2016-10-11 11:05] Fredrik Rinnestam <fredrik@rinnestam.se>
So please reply and attach your public keys if you maintain ports in either opt or xorg!
... and then transmit the fingerprint over a second channel, or at least ensure good trust paths to the keys. Otherwise it's a leap of faith. meillo
On 2016-10-11 11:15, markus schnalke wrote:
[2016-10-11 11:05] Fredrik Rinnestam <fredrik@rinnestam.se>
So please reply and attach your public keys if you maintain ports in either opt or xorg!
... and then transmit the fingerprint over a second channel, or at least ensure good trust paths to the keys. Otherwise it's a leap of faith.
Indeed!
meillo
On Tue, 11 Oct 2016 13:27:26 +0200 Fredrik wrote:
So please reply and attach your public keys if you maintain ports in either opt or xorg!
... and then transmit the fingerprint over a second channel, or at least ensure good trust paths to the keys. Otherwise it's a leap of faith.
Indeed!
Something like this might make it easier to confirm them :) gpg --with-colons --fingerprint fredrik at rinnestam dot se | grep fpr | cut -d ':' -f 10 | hex2words P7Q7950O88O2RPSNQ799R591R574862R61S68R07 fblorna fgrgubfpbcr cerpyhqr nezvfgvpr arjobea cvbarre ghzbe juvzfvpny fgbcjngpu arohyn gbczbfg zvenpyr gbczbfg ulqenhyvp arpxynpr pburerapr snyybhg ibpnyvfg bepn nzhfrzrag 4S5461Q35O847O532R578893PQP9S9868480OP60 qebccre rdhngvba snyybhg fbpvnoyr renfr whcvgre xvpxbss ragrecevfr ohmmneq rfxvzb arjobea zbynffrf fcvaqyr ergebfcrpg jnssyr yrggreurnq zheny vagragvba fubjtvey sbegvghqr 02NP4321RN4S480O9N2NON5OQROQ8Q29143P559O nppehr crargengr pehpvny pnzrybg gebwna qbphzrag qrnqobyg nezvfgvpr chcvy punzoreznvq funqbj rkbqhf gnpgvpf dhnagvgl bcgvp pregvsl onobba pebffbire rqvpg abejrtvna (hint: g?) Pedja
On 2016-10-11 13:37, Svyatoslav Mishyn wrote:
(Tue, 11 Oct 11:05) Fredrik Rinnestam:
So please reply and attach your public keys if you maintain ports in either opt or xorg!
and contrib?
contrib will probably also be signed. Just that i'm not responsible for that :-). What prompted my initial mail was that 3.3 branches for opt and xorg are imminent
participants (5)
-
Fredrik -
Fredrik Rinnestam
-
markus schnalke -
Predrag Ivanovic -
Svyatoslav Mishyn