| 1 |
On Wed, 2004-11-10 at 13:31 +0000, Anthony Metcalf wrote: |
| 2 |
> On Wed, 10 Nov 2004 13:26:26 +0000 |
| 3 |
> Antoine Martin <antoine@××××××××××.uk> wrote: |
| 4 |
> |
| 5 |
> > Sure, I agree with you. This is would not solve *all* problems. |
| 6 |
> > |
| 7 |
> > But it would solve the problem that this thread started on, which is to |
| 8 |
> > trust all the hops between your box and the gentoo servers. Which is a |
| 9 |
> > greater risk than a compromised gentoo server. |
| 10 |
> |
| 11 |
> The point, as many people have said, is that the "simple solution" is not as simple as it looks. The changes necessary to allow having up to date hashes of all the files, the file contining the hashes signed, and the checking of the file, and the hashes, *before* any remote info is run, would add significat develpoment time, prolonging the time for the *better* solution. Not to mention the processing would add a lot of overhead. |
| 12 |
I think this was mentioned before, but the few who would like to check |
| 13 |
these signatures would probably not mind having out of date hashes, and |
| 14 |
having to resync if they need to emerge that particular package - |
| 15 |
assuming it got changed just when they last synced. Or am I missing |
| 16 |
something? |
| 17 |
|
| 18 |
> Like to guess how long it would take to compile a list of hashes for the 100,000+ files in portage on my 450MHz server? |
| 19 |
I think someone already tried it on this list, a few minutes IIRC. |
| 20 |
|
| 21 |
> Yes there is a problem, yes there is a fix, the fix is on it's way, be patient. |
| 22 |
No disrespect, but if it has taken more than 1.5 years already - and I |
| 23 |
have not seen any release schedule, why not at least consider a |
| 24 |
temporary fix? |
| 25 |
|
| 26 |
|
| 27 |
-- |
| 28 |
gentoo-security@g.o mailing list |
Archives