From: | Zac Medico <zmedico@g.o> | ||
---|---|---|---|
To: | gentoo-portage-dev@l.g.o | ||
Subject: | Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers | ||
Date: | Sat, 07 Mar 2015 23:26:31 | ||
Message-Id: | 54FB8922.90408@gentoo.org | ||
In Reply to: | Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers by Mark Kubacki |
1 | On 03/06/2015 09:50 AM, Mark Kubacki wrote: |
2 | > We're on the same side here. |
3 | > |
4 | > Do we have numbers showing the ratio "portage used with defaults" vs. |
5 | > where "[webrsync-gpg] is described in many hardening guides for gentoo |
6 | > and widely used among the security conscious" applies? |
7 | > |
8 | > DNS not being encrypted is just painting the whole picture. Point is, |
9 | > the default is that "emerge --sync" results in a transfer using RSYNC |
10 | > (or http). |
11 | > |
12 | > And by default you cannot compare the result with any authoritative source. |
13 | > |
14 | |
15 | Ideally, we can rely on security mechanisms built into git [1], possibly |
16 | involving signed commits. |
17 | |
18 | [1] https://github.com/gentoo/gentoo-portage-rsync-mirror |
19 | -- |
20 | Thanks, |
21 | Zac |
Subject | Author |
---|---|
Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers | Brian Dolbec <dolsen@g.o> |
Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers | Patrick Schleizer <patrick-mailinglists@××××××.org> |
Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers | Mark Kubacki <wmark@×××××××××.de> |