1 |
Hi list! |
2 |
|
3 |
Am I right that there is currently no way portage tries to verify that |
4 |
the rsync-mirror is not spoofed? |
5 |
|
6 |
Doesn't that pose a major threat? If I were able to manipulate the |
7 |
domain name resolution, I could easily trick gentooers into making false |
8 |
updates and thus executing a malicious program with root-permission on |
9 |
their machine. |
10 |
|
11 |
|
12 |
So, why isn't there some kind of public key authentication going on, at |
13 |
least optionally? |
14 |
|
15 |
By the way: How does gentoo's gpg-feature work. The man-page doesn't |
16 |
contain an explanation. |