1 |
On 28-02-2018 12:34:31 -0600, R0b0t1 wrote: |
2 |
> Can you not use webrsync-gpg for the time being? |
3 |
|
4 |
I'm affraid not, we do "sign" the snapshots, but they are just tarred up |
5 |
versions of the rsync tree as generated. The same tree we're talking |
6 |
about here. |
7 |
|
8 |
> Incremental updates of authenticated files would be best, but until |
9 |
> that can be done in a completely foolproof way I would wait so as to |
10 |
> not give yourself a false sense of security. |
11 |
|
12 |
Honestly I never understood why Portage doesn't just verify the paths to |
13 |
the ebuilds it eventually wants to install. Anyway, for me the goal is |
14 |
to get some sense of verification, the ultimate sense of security is |
15 |
kind of pointless, since you can point it at any random host, and any |
16 |
random joe can generate any random, but valid(ating) tree. |
17 |
|
18 |
Fabian |
19 |
|
20 |
|
21 |
-- |
22 |
Fabian Groffen |
23 |
Gentoo on a different level |