From: | Patrick Schleizer <patrick-mailinglists@××××××.org> | ||
---|---|---|---|
To: | gentoo-portage-dev@l.g.o | ||
Subject: | Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers | ||
Date: | Sun, 08 Mar 2015 14:59:42 | ||
Message-Id: | 54FC63D0.2000108@whonix.org | ||
In Reply to: | Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers by Zac Medico |
1 | Zac Medico: |
2 | > On 03/06/2015 09:50 AM, Mark Kubacki wrote: |
3 | >> We're on the same side here. |
4 | >> |
5 | >> Do we have numbers showing the ratio "portage used with defaults" vs. |
6 | >> where "[webrsync-gpg] is described in many hardening guides for gentoo |
7 | >> and widely used among the security conscious" applies? |
8 | >> |
9 | >> DNS not being encrypted is just painting the whole picture. Point is, |
10 | >> the default is that "emerge --sync" results in a transfer using RSYNC |
11 | >> (or http). |
12 | >> |
13 | >> And by default you cannot compare the result with any authoritative source. |
14 | >> |
15 | > |
16 | > Ideally, we can rely on security mechanisms built into git [1], possibly |
17 | > involving signed commits. |
18 | > |
19 | > [1] https://github.com/gentoo/gentoo-portage-rsync-mirror |
20 | |
21 | Then the question is, how secure are signatures when used wit hgit? |
22 | |
23 | A while ago I wrote a blog post asking that question, referencing a lot |
24 | related information, started a discussion and also posted this on the |
25 | git mailing list. |
26 | |
27 | "How safe are signed git tags? Only as safe as SHA-1 or somehow safer?" |
28 | [1] [2] |
29 | |
30 | Cheers, |
31 | Patrick |
32 | |
33 | [1] |
34 | https://www.whonix.org/blog/how-safe-are-signed-git-tags-only-as-safe-as-sha-1-or-somehow-safer |
35 | [2] http://www.mail-archive.com/git@×××××××××××.org/msg61087.html |
Subject | Author |
---|---|
Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers | Zac Medico <zmedico@g.o> |