Gentoo Archives: gentoo-portage-dev

From:	Patrick Schleizer <patrick-mailinglists@××××××.org>
To:	gentoo-portage-dev@l.g.o
Subject:	Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers
Date:	Sun, 08 Mar 2015 14:59:42
Message-Id:	`54FC63D0.2000108@whonix.org`
In Reply to:	Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers by Zac Medico

1	Zac Medico:
2	> On 03/06/2015 09:50 AM, Mark Kubacki wrote:
3	>> We're on the same side here.
4	>>
5	>> Do we have numbers showing the ratio "portage used with defaults" vs.
6	>> where "[webrsync-gpg] is described in many hardening guides for gentoo
7	>> and widely used among the security conscious" applies?
8	>>
9	>> DNS not being encrypted is just painting the whole picture. Point is,
10	>> the default is that "emerge --sync" results in a transfer using RSYNC
11	>> (or http).
12	>>
13	>> And by default you cannot compare the result with any authoritative source.
14	>>
15	>
16	> Ideally, we can rely on security mechanisms built into git [1], possibly
17	> involving signed commits.
18	>
19	> [1] https://github.com/gentoo/gentoo-portage-rsync-mirror
20
21	Then the question is, how secure are signatures when used wit hgit?
22
23	A while ago I wrote a blog post asking that question, referencing a lot
24	related information, started a discussion and also posted this on the
25	git mailing list.
26
27	"How safe are signed git tags? Only as safe as SHA-1 or somehow safer?"
28	[1] [2]
29
30	Cheers,
31	Patrick
32
33	[1]
34	https://www.whonix.org/blog/how-safe-are-signed-git-tags-only-as-safe-as-sha-1-or-somehow-safer
35	[2] http://www.mail-archive.com/git@×××××××××××.org/msg61087.html

Subject	Author
Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers	Zac Medico <zmedico@g.o>