| 1 |
Good evening folks, |
| 2 |
|
| 3 |
in the past I witnessed bits and pieces of attempts to increase the |
| 4 |
infrastructure userside, but, unless I'm mistaken, there's still room |
| 5 |
for improvement. |
| 6 |
|
| 7 |
Since a couple of years we have the webrsync-gpg FEATURE, which enables |
| 8 |
automatic verification of the portage tree, when updated via webrsync. |
| 9 |
|
| 10 |
We also have mandatory signing via gpg of packages, news items and (I |
| 11 |
strongly suspect) GLSAs for maintainers. Yet, there's not checking |
| 12 |
mechanism whatsoever in portage. |
| 13 |
|
| 14 |
Now my question: are there plans existing on how to improve this |
| 15 |
situation? Any project that might be involved with such plans? |
| 16 |
In particular, my question is with respect to |
| 17 |
- automatic verififcation of the gpg-signatures provided when syncing |
| 18 |
via git |
| 19 |
- development of a verification scheme that works just as well with rsync |
| 20 |
- on the threat-assessment side: are there dangers involved, apart from |
| 21 |
a mitm-attack between the (rsyncing) end-user and a mirror or a mirror |
| 22 |
and the main servers? |
| 23 |
|
| 24 |
Thank you for your time. |
| 25 |
|
| 26 |
With kind regards, |
| 27 |
tomboy64 |
Archives