Gentoo Archives: gentoo-security

From: Florian Philipp <lists@××××××××××××××××××.net>
To: gentoo-security@l.g.o
Subject: [gentoo-security] Portage rsync security
Date: Thu, 20 Mar 2008 10:46:58
Message-Id: 1206009940.22869.11.camel@NOTE_GENTOO64.PHHEIMNETZ
Hi list!

Am I right that there is currently no way portage tries to verify that
the rsync-mirror is not spoofed?

Doesn't that pose a major threat? If I were able to manipulate the
domain name resolution, I could easily trick gentooers into making false
updates and thus executing a malicious program with root-permission on
their machine.

So, why isn't there some kind of public key authentication going on, at
least optionally?

By the way: How does gentoo's gpg-feature work. The man-page doesn't
contain an explanation.


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-security] Portage rsync security Mansour Moufid <mansourmoufid@×××××.com>
Re: [gentoo-security] Portage rsync security Robert Buchholz <rbu@g.o>