1 |
On Tue, Mar 23, 2004 at 05:08:24AM -0500, Kurt Lieber wrote: |
2 |
> Today, John informed me that we will still have an insecure |
3 |
> implementation of Portage in 2004.1 due to a lack of effort and |
4 |
> commitment towards solving this problem. |
5 |
> |
6 |
> We have been talking about GPG-signed packages in portage for almost |
7 |
> exactly one year now.[1] Yet, we have not delivered on our promises |
8 |
> to our user base. Just today, we had a user ask how she can verify |
9 |
> the integrity of packages she downloads.[2] I can't give her any good |
10 |
> answer because the answer is she can't. |
11 |
I wrote up a functional prototype patch Mon, 8 Dec 2003 and mailed it to |
12 |
gentoo-core when a discussion on the subject was in progress. This is |
13 |
the ONLY code I've seen produced by anybody on the subject of GPG |
14 |
signing to date. |
15 |
|
16 |
-- |
17 |
Robin Hugh Johnson |
18 |
E-Mail : robbat2@××××××××××××××.net |
19 |
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 |
20 |
ICQ# : 30269588 or 41961639 |
21 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |