List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Jasmine CHUA wrote:
> I am concerned with the security aspects of running an `emerge sync`. Is
> there any way to verify the packages to be downloaded from running an emerge
> sync? What if the gentoo rsync server gets hacked? Understanding that each
> ebuild comes with a md5 digest and all packages are safe in this manner but
> i see that still does not override the possibility that the rsync server may
> get hacked?
A rsync mirror compromise could definitely lead to a security problem.
This is a known problem that is being worked on, and some kind of
digital signing check will be built into the ebuild release / rsync
email@example.com mailing list