| 1 |
> What is the gain of using a secure hash |
| 2 |
> algorithm in the manifests if you can simply replace the manifest with a |
| 3 |
> MITM attack on the rsync update? |
| 4 |
|
| 5 |
I'd say "the solution is to stop using rsync and use git" (there is git mirror |
| 6 |
with all the metadata), but... |
| 7 |
Git does not support (correct me, if I'm wrong) resuming a fetch in case of |
| 8 |
fails (bad connection, slow connection, or the any other reason to stop it and |
| 9 |
continue later). |
| 10 |
|
| 11 |
So... We either need GPG manifest signing enabled, or totally move to git and |
| 12 |
ignore all the users with bad internet connection and totally move portage to |
| 13 |
git (hint: we shouldn't), until we invent something else, that can solve all |
| 14 |
of that problems. |
Archives