| 1 |
On Wed, 10 Nov 2004 13:26:26 +0000 |
| 2 |
Antoine Martin <antoine@××××××××××.uk> wrote: |
| 3 |
|
| 4 |
> Sure, I agree with you. This is would not solve *all* problems. |
| 5 |
> |
| 6 |
> But it would solve the problem that this thread started on, which is to |
| 7 |
> trust all the hops between your box and the gentoo servers. Which is a |
| 8 |
> greater risk than a compromised gentoo server. |
| 9 |
|
| 10 |
The point, as many people have said, is that the "simple solution" is not as simple as it looks. The changes necessary to allow having up to date hashes of all the files, the file contining the hashes signed, and the checking of the file, and the hashes, *before* any remote info is run, would add significat develpoment time, prolonging the time for the *better* solution. Not to mention the processing would add a lot of overhead. |
| 11 |
|
| 12 |
Like to guess how long it would take to compile a list of hashes for the 100,000+ files in portage on my 450MHz server? |
| 13 |
|
| 14 |
Yes there is a problem, yes there is a fix, the fix is on it's way, be patient. |
Archives