Archives
Archives
| From: | Zac Medico <zmedico@g.o> | ||
|---|---|---|---|
| To: | gentoo-portage-dev@l.g.o | ||
| Subject: | Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers | ||
| Date: | Sat, 07 Mar 2015 23:26:31 | ||
| Message-Id: | 54FB8922.90408@gentoo.org | ||
| In Reply to: | Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers by Mark Kubacki |
||
| 1 | On 03/06/2015 09:50 AM, Mark Kubacki wrote: |
| 2 | > We're on the same side here. |
| 3 | > |
| 4 | > Do we have numbers showing the ratio "portage used with defaults" vs. |
| 5 | > where "[webrsync-gpg] is described in many hardening guides for gentoo |
| 6 | > and widely used among the security conscious" applies? |
| 7 | > |
| 8 | > DNS not being encrypted is just painting the whole picture. Point is, |
| 9 | > the default is that "emerge --sync" results in a transfer using RSYNC |
| 10 | > (or http). |
| 11 | > |
| 12 | > And by default you cannot compare the result with any authoritative source. |
| 13 | > |
| 14 | |
| 15 | Ideally, we can rely on security mechanisms built into git [1], possibly |
| 16 | involving signed commits. |
| 17 | |
| 18 | [1] https://github.com/gentoo/gentoo-portage-rsync-mirror |
| 19 | -- |
| 20 | Thanks, |
| 21 | Zac |
| Subject | Author |
|---|---|
| Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers | Brian Dolbec <dolsen@g.o> |
| Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers | Patrick Schleizer <patrick-mailinglists@××××××.org> |
| Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers | Mark Kubacki <wmark@×××××××××.de> |