1 |
On Mon, 8 Nov 2004, Peter Simons wrote: |
2 |
> Ed Grimm writes: |
3 |
> |
4 |
>> So how is it that having the Manifest files all signed, |
5 |
>> and having the Manifest signatures checked, and checking |
6 |
>> all the MD5 sums in the Manifest files against the files |
7 |
>> in the directories only a partial answer? |
8 |
> |
9 |
> /usr/portage/eclass is not authenticated by this and |
10 |
> contains shell code that's (possibly) executed with |
11 |
> superuser privileges. |
12 |
|
13 |
Would the obvious fix not be provide signed Manifest files for the |
14 |
eclasses as well? |
15 |
|
16 |
Ed |
17 |
|
18 |
-- |
19 |
gentoo-security@g.o mailing list |