Gentoo Archives: gentoo-dev

From:	Diamond <diamond@××××××.ru>
To:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] Re: Current Gentoo Git setup / man-in-the-middle attacks
Date:	Mon, 30 Mar 2015 13:14:03
Message-Id:	`20150330161350.207e8f56@diamond.mlzone`
In Reply to:	Re: [gentoo-dev] Re: Current Gentoo Git setup / man-in-the-middle attacks by Andrew Savchenko

1	On Mon, 30 Mar 2015 11:57:45 +0300
2	Andrew Savchenko <bircoph@g.o> wrote:
3
4	> The Gentoo tree is not verified anyway: mirrors distribute it via
5	> http, rsync and ftp. And using https for that will create a
6	> tremendous stress on mirror's CPUs, so this is a bad approach.
7	> Not to mention that https itself is very hapless protocol with tons
8	> of vulnerabilities (all SSL versions are affected and most TLS
9	> implementations).
10	>
11	> A proper solution will be to use cryptographic verification of
12	> downloaded files.
13
14	We should probably distinguish security of reading from Gentoo mirror
15	and writing to it. But for paranoid ones we probably should add the
16	option to read from https:// or other secured protocols too.

Subject	Author
Re: [gentoo-dev] Re: Current Gentoo Git setup / man-in-the-middle attacks	"Vadim A. Misbakh-Soloviov" <mva@×××.name>