| 1 |
thought this stuff was discussed long ago bout adding sigs etc to build/dist files, and alot of devs pushed back. ? |
| 2 |
i dont recall but least 12-16 months ago ? |
| 3 |
|
| 4 |
|
| 5 |
are there solution proposals out now ? guess need a glep or somthing ? |
| 6 |
|
| 7 |
|
| 8 |
* Kurt Lieber (klieber@g.o) wrote: |
| 9 |
> Date: Tue, 23 Mar 2004 05:12:01 -0500 |
| 10 |
> From: Kurt Lieber <klieber@g.o> |
| 11 |
> To: Koon <koon@××××××.net> |
| 12 |
> Cc: Jasmine CHUA <Jasmine.Chua@××××××××××××××××.com>, |
| 13 |
> gentoo-security@l.g.o |
| 14 |
> User-Agent: Mutt/1.5.5.1i |
| 15 |
> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 |
| 16 |
> Subject: Re: [gentoo-security] emerge sync |
| 17 |
> |
| 18 |
> On Tue, Mar 23, 2004 at 10:59:20AM +0100 or thereabouts, Koon wrote: |
| 19 |
> > A rsync mirror compromise could definitely lead to a security problem. |
| 20 |
> > |
| 21 |
> > This is a known problem that is being worked on, and some kind of |
| 22 |
> > digital signing check will be built into the ebuild release / rsync |
| 23 |
> > process someday... |
| 24 |
> |
| 25 |
> For anyone subscribed to gentoo-dev, please see the message I just posted |
| 26 |
> there which details the problem as well as our lack of effort to solve it. |
| 27 |
> Hopefully, enough noise from the community will help give us a swift kick |
| 28 |
> in the butt and a wakeup call. (hint: that means you folks) |
| 29 |
> |
| 30 |
> --kurt |
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
-- |
| 35 |
gentoo-security@g.o mailing list |
Archives