1 |
> What is the gain of using a secure hash |
2 |
> algorithm in the manifests if you can simply replace the manifest with a |
3 |
> MITM attack on the rsync update? |
4 |
|
5 |
I'd say "the solution is to stop using rsync and use git" (there is git mirror |
6 |
with all the metadata), but... |
7 |
Git does not support (correct me, if I'm wrong) resuming a fetch in case of |
8 |
fails (bad connection, slow connection, or the any other reason to stop it and |
9 |
continue later). |
10 |
|
11 |
So... We either need GPG manifest signing enabled, or totally move to git and |
12 |
ignore all the users with bad internet connection and totally move portage to |
13 |
git (hint: we shouldn't), until we invent something else, that can solve all |
14 |
of that problems. |