Gentoo Archives: gentoo-dev

From: Paul de Vrieze <gentoo-user@××××××××.net>
To: gentoo-dev@g.o
Subject: [gentoo-dev] Re: [gentoo-security] Trojan for Gentoo/GNU Linux, proof of concept
Date: Sat, 22 Mar 2003 21:14:34
Message-Id: 200303222214.31606.gentoo-user@devrieze.net
1 On Saturday 22 March 2003 12:20, MAL wrote:
2 >
3 > I don't think I would trust a security/paranoid only update system
4 > within portage, as portage will still be working with an externally
5 > generated list of to-do. Building aan update locally, making sure it's
6 > only what you want, then packaging it, (ebuild package - tbz2 format),
7 > and installing it on the remote machine, is the only method i'd feel
8 > satisfied with.
9 >
10
11 I agree with your point of view. While my only "server" is a home server that
12 does some printing and ip sharing stuff I do make sure I don't just update
13 world. I don't see the point of "running emerge -u world from cron" at all.
14 The best protection from instability is keeping record of the mailing lists,
15 and not updating what is not broken.
16
17 For my desktops, I even there wait with updates for packages like gcc, glibc,
18 X etc. until I believe they are actually stable in a sense that I don't hear
19 about problems concerning them anymore.
20
21 Paul
22
23 --
24 Paul de Vrieze
25 Researcher
26 Mail: pauldv@××××××.nl
27 Homepage: http://www.devrieze.net