| 1 |
On Friday 12 November 2004 13:54, dante@×××××××××××××××.net wrote: |
| 2 |
> The recent discussion on how to protect the portage tree from |
| 3 |
> man-in-the-middle attacks has concentrated on signing either the |
| 4 |
> portage tarball or the individual files in the tree. |
| 5 |
> |
| 6 |
> What about approaching the problem the way OpenBSD deals with its |
| 7 |
> ports, that is with cvs over an ssh tunnel to authorized mirrors. The |
| 8 |
> only drawback I see is that many gentoo users use rsync, but the cvs |
| 9 |
> approach could be added on top of what already exists and security |
| 10 |
> conscious users will then have the option of switching. |
| 11 |
|
| 12 |
In the early days, gentoo did actually offer anonymous cvs. It was quickly |
| 13 |
removed as putting a too big load on the servers. I don't know whether we |
| 14 |
can devise a way in which we can offer an acceptable level of anon cvs. |
| 15 |
In between I do think that we might want to set up secure rsync (ssh or |
| 16 |
stunnel) at least from the master rsync mirror to the normal mirrors, and |
| 17 |
maybe even allow normal users to use "secure rsync". Setting up ssl rsync |
| 18 |
should not be hard, allthough rsync does not by itself support it out of |
| 19 |
the box. Stunnel should be able to offer it. |
| 20 |
|
| 21 |
Paul |
| 22 |
|
| 23 |
-- |
| 24 |
Paul de Vrieze |
| 25 |
Gentoo Developer |
| 26 |
Mail: pauldv@g.o |
| 27 |
Homepage: http://www.devrieze.net |
Archives