Gentoo Logo

About | Projects | Docs | Forums | Lists | Bugs | Get Gentoo! | Support | Planet | Wiki

Gentoo Spaceship
Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: Jasmine CHUA <Jasmine.Chua@...>
From: Koon <koon@...>
Subject: Re: emerge sync
Date: Tue, 23 Mar 2004 10:59:20 +0100 
Jasmine CHUA wrote:

> I am concerned with the security aspects of running an `emerge sync`. Is
> there any way to verify the packages to be downloaded from running an emerge
> sync? What if the gentoo rsync server gets hacked? Understanding that each
> ebuild comes with a md5 digest and all packages are safe in this manner but
> i see that still does not override the possibility that the rsync server may
> get hacked? 

A rsync mirror compromise could definitely lead to a security problem.

This is a known problem that is being worked on, and some kind of 
digital signing check will be built into the ebuild release / rsync 
process someday...

-K

--
gentoo-security@g.o mailing list
Replies:
Re: emerge sync
-- Kurt Lieber
References:
emerge sync
-- Jasmine CHUA
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
emerge sync
Next by thread:
Re: emerge sync
Previous by date:
emerge sync
Next by date:
Re: emerge sync


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.