| 1 |
On Tue, Mar 23, 2004 at 05:08:24AM -0500, Kurt Lieber wrote: |
| 2 |
> Today, John informed me that we will still have an insecure |
| 3 |
> implementation of Portage in 2004.1 due to a lack of effort and |
| 4 |
> commitment towards solving this problem. |
| 5 |
> |
| 6 |
> We have been talking about GPG-signed packages in portage for almost |
| 7 |
> exactly one year now.[1] Yet, we have not delivered on our promises |
| 8 |
> to our user base. Just today, we had a user ask how she can verify |
| 9 |
> the integrity of packages she downloads.[2] I can't give her any good |
| 10 |
> answer because the answer is she can't. |
| 11 |
I wrote up a functional prototype patch Mon, 8 Dec 2003 and mailed it to |
| 12 |
gentoo-core when a discussion on the subject was in progress. This is |
| 13 |
the ONLY code I've seen produced by anybody on the subject of GPG |
| 14 |
signing to date. |
| 15 |
|
| 16 |
-- |
| 17 |
Robin Hugh Johnson |
| 18 |
E-Mail : robbat2@××××××××××××××.net |
| 19 |
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 |
| 20 |
ICQ# : 30269588 or 41961639 |
| 21 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives