1 |
On Fri, Nov 12, 2004 at 07:54:38AM -0500, dante@×××××××××××××××.net wrote: |
2 |
> |
3 |
> The recent discussion on how to protect the portage tree from |
4 |
> man-in-the-middle attacks has concentrated on signing either the portage |
5 |
> tarball or the individual files in the tree. |
6 |
> |
7 |
> What about approaching the problem the way OpenBSD deals with its ports, |
8 |
> that is with cvs over an ssh tunnel to authorized mirrors. The only |
9 |
> drawback I see is that many gentoo users use rsync, but the cvs approach |
10 |
> could be added on top of what already exists and security conscious users |
11 |
> will then have the option of switching. |
12 |
|
13 |
Do you know how the mirrors are authorized? Official certificates, selfsigned, |
14 |
own pki? |
15 |
I think if the rsync mirrors are too stressed for signation, they would be |
16 |
too stressed for rsync too, allthough rsync could be tunneled too. |
17 |
|
18 |
Anyway interesting approuch too. |
19 |
|
20 |
regards klaus |
21 |
|
22 |
-- |
23 |
gentoo-security@g.o mailing list |