Gentoo Logo

About | Projects | Docs | Forums | Lists | Bugs | Get Gentoo! | Support | Planet | Wiki

Gentoo Spaceship
Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Florian Philipp <lists@...>
Subject: Portage rsync security
Date: Thu, 20 Mar 2008 11:45:40 +0100 
Hi list!

Am I right that there is currently no way portage tries to verify that
the rsync-mirror is not spoofed?

Doesn't that pose a major threat? If I were able to manipulate the
domain name resolution, I could easily trick gentooers into making false
updates and thus executing a malicious program with root-permission on
their machine.


So, why isn't there some kind of public key authentication going on, at
least optionally?

By the way: How does gentoo's gpg-feature work. The man-page doesn't
contain an explanation.
Attachment:
signature.asc (This is a digitally signed message part)
Replies:
Re: Portage rsync security
-- Robert Buchholz
Re: Portage rsync security
-- Mansour Moufid
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Cryptsetup-LUKS: cryptsetup -c anycipher-xts-plain:sha256 or not :sha256?
Next by thread:
Re: Portage rsync security
Previous by date:
Re: Cryptsetup-LUKS: cryptsetup -c anycipher-xts-plain:sha256 or not :sha256?
Next by date:
Re: Portage rsync security


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.