| 1 |
Hi list! |
| 2 |
|
| 3 |
Am I right that there is currently no way portage tries to verify that |
| 4 |
the rsync-mirror is not spoofed? |
| 5 |
|
| 6 |
Doesn't that pose a major threat? If I were able to manipulate the |
| 7 |
domain name resolution, I could easily trick gentooers into making false |
| 8 |
updates and thus executing a malicious program with root-permission on |
| 9 |
their machine. |
| 10 |
|
| 11 |
|
| 12 |
So, why isn't there some kind of public key authentication going on, at |
| 13 |
least optionally? |
| 14 |
|
| 15 |
By the way: How does gentoo's gpg-feature work. The man-page doesn't |
| 16 |
contain an explanation. |
Archives