| 1 |
On 28-02-2018 12:34:31 -0600, R0b0t1 wrote: |
| 2 |
> Can you not use webrsync-gpg for the time being? |
| 3 |
|
| 4 |
I'm affraid not, we do "sign" the snapshots, but they are just tarred up |
| 5 |
versions of the rsync tree as generated. The same tree we're talking |
| 6 |
about here. |
| 7 |
|
| 8 |
> Incremental updates of authenticated files would be best, but until |
| 9 |
> that can be done in a completely foolproof way I would wait so as to |
| 10 |
> not give yourself a false sense of security. |
| 11 |
|
| 12 |
Honestly I never understood why Portage doesn't just verify the paths to |
| 13 |
the ebuilds it eventually wants to install. Anyway, for me the goal is |
| 14 |
to get some sense of verification, the ultimate sense of security is |
| 15 |
kind of pointless, since you can point it at any random host, and any |
| 16 |
random joe can generate any random, but valid(ating) tree. |
| 17 |
|
| 18 |
Fabian |
| 19 |
|
| 20 |
|
| 21 |
-- |
| 22 |
Fabian Groffen |
| 23 |
Gentoo on a different level |
Archives