Gentoo Archives: gentoo-dev

From: Paul de Vrieze <gentoo-user@××××××××.net>
To: gentoo-dev@g.o
Subject: [gentoo-dev] Re: [gentoo-security] Verifying portage is from Gentoo
Date: Mon, 13 Jan 2003 10:28:01
Message-Id: 200301131124.26792.gentoo-user@devrieze.net
On Monday 13 January 2003 09:13, cdfrey@×××××××××.ca wrote:
> [snip] > > > But there are more easy ways to do this. > > Yeah... the idea that this is so easy to do is a little scary. I assume > even the developers do "emerge rsyncs" over the internet (I could be > wrong here), so there is a possibility for a trojan to silently work > it's way through the entire Gentoo world from the developers down. > > I'm happy to see my comments weren't just brushed aside. Many thanks! >
Maybe the easiest way would be that some/all rsync mirrors would offer rsync over ssl, so that the origin servers could be authenticated. This would also mean some changes for clients to be able to use it. Paul -- Paul de Vrieze Researcher Mail: pauldv@××××××.nl Homepage: http://www.cs.kun.nl/~pauldv

Replies

Subject Author
Re: [gentoo-dev] Re: [gentoo-security] Verifying portage is from Gentoo Evan Powers <powers.161@×××.edu>