Archives
Archives
| From: | Paul de Vrieze <pauldv@g.o> | ||
|---|---|---|---|
| To: | gentoo-dev@l.g.o | ||
| Subject: | Re: [gentoo-dev] 2004.1 will not include a secure portage. | ||
| Date: | Fri, 26 Mar 2004 08:31:29 | ||
| Message-Id: | 200403260931.23622.pauldv@gentoo.org | ||
| In Reply to: | Re: [gentoo-dev] 2004.1 will not include a secure portage. by Jesse Nelson |
||
| 1 | On Friday 26 March 2004 00:40, Jesse Nelson wrote: |
| 2 | > |
| 3 | > if an attacker can mod the acl list of keys he can add his and his buildts |
| 4 | > etc. you need external verification outside of just the mirror your syncing |
| 5 | > on. |
| 6 | |
| 7 | Outside verification only goes so far. It is not really secure, you need to be |
| 8 | able to verify that you don't get a stale version. |
| 9 | |
| 10 | Paul |
| 11 | |
| 12 | -- |
| 13 | Paul de Vrieze |
| 14 | Gentoo Developer |
| 15 | Mail: pauldv@g.o |
| 16 | Homepage: http://www.devrieze.net |