1 |
thought this stuff was discussed long ago bout adding sigs etc to build/dist files, and alot of devs pushed back. ? |
2 |
i dont recall but least 12-16 months ago ? |
3 |
|
4 |
|
5 |
are there solution proposals out now ? guess need a glep or somthing ? |
6 |
|
7 |
|
8 |
* Kurt Lieber (klieber@g.o) wrote: |
9 |
> Date: Tue, 23 Mar 2004 05:12:01 -0500 |
10 |
> From: Kurt Lieber <klieber@g.o> |
11 |
> To: Koon <koon@××××××.net> |
12 |
> Cc: Jasmine CHUA <Jasmine.Chua@××××××××××××××××.com>, |
13 |
> gentoo-security@l.g.o |
14 |
> User-Agent: Mutt/1.5.5.1i |
15 |
> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 |
16 |
> Subject: Re: [gentoo-security] emerge sync |
17 |
> |
18 |
> On Tue, Mar 23, 2004 at 10:59:20AM +0100 or thereabouts, Koon wrote: |
19 |
> > A rsync mirror compromise could definitely lead to a security problem. |
20 |
> > |
21 |
> > This is a known problem that is being worked on, and some kind of |
22 |
> > digital signing check will be built into the ebuild release / rsync |
23 |
> > process someday... |
24 |
> |
25 |
> For anyone subscribed to gentoo-dev, please see the message I just posted |
26 |
> there which details the problem as well as our lack of effort to solve it. |
27 |
> Hopefully, enough noise from the community will help give us a swift kick |
28 |
> in the butt and a wakeup call. (hint: that means you folks) |
29 |
> |
30 |
> --kurt |
31 |
|
32 |
|
33 |
|
34 |
-- |
35 |
gentoo-security@g.o mailing list |