1 |
On Sun, Sep 07, 2003 at 10:34:06PM +0000, Jan Krueger wrote: |
2 |
> On Sunday 07 September 2003 19:56, Jon Portnoy wrote: |
3 |
> > The vulnerability at that point is compromised keys, which is why we |
4 |
> > would have an uberkey so we can revoke developer keys as soon as |
5 |
> > possible. It's not foolproof, but it's a whole lot better. |
6 |
> I agree. |
7 |
> But thats no excuse to not fix the security/consitency faults in portage that |
8 |
> showed up in this discussion. |
9 |
> |
10 |
|
11 |
What, that any situation involving installing software is going to have |
12 |
security holes? That's the nature of software installation. |
13 |
|
14 |
> You never know ... |
15 |
> |
16 |
> It may already be to late for thousends of users until someone of gentoo-core |
17 |
> uses the ueberkey, especially in holiday seasons. |
18 |
> |
19 |
> Or has core, especially in key questions, an availablity of 24/7? |
20 |
|
21 |
We have enough managers who do this nearly full-time (including myself |
22 |
most of the time), and we share phone numbers (and cell phone numbers), |
23 |
so it's fairly unlikely. |
24 |
|
25 |
> |
26 |
> > There is no such thing as perfect security short of shutting down your |
27 |
> > computer. |
28 |
> Yes, you never know... |
29 |
> Thats why i would prefer a secure transport layer for emerge, you know? |
30 |
> |
31 |
> Jan |
32 |
|
33 |
A secure transport layer is unnecessary if we're using GPG signing, |
34 |
which has always been the intent - but seems to have stalled. |
35 |
|
36 |
-- |
37 |
Jon Portnoy |
38 |
avenj/irc.freenode.net |
39 |
|
40 |
-- |
41 |
gentoo-dev@g.o mailing list |