At least the one i got (0xBB572E0E2D182910). I wonder how am i supposed to validate all those stages then. Reproducible: Always
The release engineering key can not by definition be in the strong set, as it would not be used to sign third party public keyblocks, and as such there isn't a two way signature path. That said, there is an argument to be made to get more Gentoo Developers to sign the release engineering key based on the information provided by infra. This information is also presented over TLS-protected transport on the website. https://gentoo.org/downloads/signatures/
Resolving this as invalid, as it is not a security issue. Further discussion on OpenPGP signature paths and developer signing of release keys can be made on the gentoo-project mailing list.
> The release engineering key can not by definition be in the strong set, as it would not be used to sign third party public keyblocks, and as such there isn't a two way signature path. I meant, there's no trust path from a strong set key to the releng key, so it's effectively worthless to a random Gentoo user.
> Resolving this as invalid, as it is not a security issue. I don't see how the apparent inablilty to fetch the distro securely from a Gentoo-controlled entity is not a security issue. https://get.gentoo.org/ doesn't provide such a way, at least: it only throws you the mirrors, while it might at least host the checksums.
(In reply to Sergey 'L29Ah' Alirzaev from comment #4) > > Resolving this as invalid, as it is not a security issue. > > I don't see how the apparent inablilty to fetch the distro securely from a > Gentoo-controlled entity is not a security issue. https://get.gentoo.org/ > doesn't provide such a way, at least: it only throws you the mirrors, while > it might at least host the checksums. As pointed out in comment 1, see https://gentoo.org/downloads/signatures/ for the fingerprints of the public keyblocks used for release media. This is linked from https://gentoo.org/downloads/ (see Signatures)
