1 |
Good evening folks, |
2 |
|
3 |
in the past I witnessed bits and pieces of attempts to increase the |
4 |
infrastructure userside, but, unless I'm mistaken, there's still room |
5 |
for improvement. |
6 |
|
7 |
Since a couple of years we have the webrsync-gpg FEATURE, which enables |
8 |
automatic verification of the portage tree, when updated via webrsync. |
9 |
|
10 |
We also have mandatory signing via gpg of packages, news items and (I |
11 |
strongly suspect) GLSAs for maintainers. Yet, there's not checking |
12 |
mechanism whatsoever in portage. |
13 |
|
14 |
Now my question: are there plans existing on how to improve this |
15 |
situation? Any project that might be involved with such plans? |
16 |
In particular, my question is with respect to |
17 |
- automatic verififcation of the gpg-signatures provided when syncing |
18 |
via git |
19 |
- development of a verification scheme that works just as well with rsync |
20 |
- on the threat-assessment side: are there dangers involved, apart from |
21 |
a mitm-attack between the (rsyncing) end-user and a mirror or a mirror |
22 |
and the main servers? |
23 |
|
24 |
Thank you for your time. |
25 |
|
26 |
With kind regards, |
27 |
tomboy64 |