This year I’ve been accepted
for Google Summer of Code 2014 with Gentoo Foundation for the Gentoo Keys project and my mentor will be Brian Dolbec (dol-sen).
Gentoo Keys is a Python based project that aims to manage the GPG keys used for validation on users and Gentoo’s infrastructure servers.
These keys will be any/all of the release keys, developer keys and any other third party keys or keyrings available or needed.
Participating in large communities and being a developer has great responsibilities.
Developers have access to commit their new changes to the main repository, however, even an unintended incorrect commit in the main repository would affect the majority of the users.
This issue could be addressed easily by the developer that did the mistake instantly.
A less innocent case is that if a developer’s box is compromised, then the malicious user could commit malicious changes freely to the main tree.
To prevent this kind of incidents, developers are requested to sign their own commits with their GPG key in order to ensure who they claim to be.
It’s an extra layer of protection that helps to keep the integrity of the main repository.
Gentoo Keys aims to solve that and provides its features in many scenarios like overlays and release engineering management.
Gentoo Keys will be able to verify GPG keys used for Gentoo’s release media, such as installation CD’s, Live DVD’s, packages and other GPG signed documents.
In addition, it will be used by Gentoo infrastructure team to achieve GPG signed git commits in the forthcoming git migration of the main CVS tree.
Gentoo Keys is an open source project which has its code available from the very first day in Gentoo’s official repositories. Everyone is welcome to provide patches and request new features.
Source code: https://github.com/gentoo/gentoo-keys.
Weekly Reports are posted here.
Wiki page: https://wiki.gentoo.org/wiki/Project:Gentoo-keys.