Gentoo Archives: gentoo-dev

From: Paul de Vrieze <gentoo-user@××××××××.net>
To: gentoo-dev@g.o
Subject: [gentoo-dev] Re: [gentoo-security] Trojan for Gentoo/GNU Linux, proof of concept
Date: Sat, 22 Mar 2003 21:14:34
1 On Saturday 22 March 2003 12:20, MAL wrote:
2 >
3 > I don't think I would trust a security/paranoid only update system
4 > within portage, as portage will still be working with an externally
5 > generated list of to-do. Building aan update locally, making sure it's
6 > only what you want, then packaging it, (ebuild package - tbz2 format),
7 > and installing it on the remote machine, is the only method i'd feel
8 > satisfied with.
9 >
11 I agree with your point of view. While my only "server" is a home server that
12 does some printing and ip sharing stuff I do make sure I don't just update
13 world. I don't see the point of "running emerge -u world from cron" at all.
14 The best protection from instability is keeping record of the mailing lists,
15 and not updating what is not broken.
17 For my desktops, I even there wait with updates for packages like gcc, glibc,
18 X etc. until I believe they are actually stable in a sense that I don't hear
19 about problems concerning them anymore.
21 Paul
23 --
24 Paul de Vrieze
25 Researcher
26 Mail: pauldv@××××××.nl
27 Homepage: