| 1 |
Rich Freeman <rich0@g.o> wrote: |
| 2 |
> On Sat, Jul 7, 2018 at 1:51 AM Martin Vaeth <martin@×××××.de> wrote: |
| 3 |
>> Davyd McColl <davydm@×××××.com> wrote: |
| 4 |
>> |
| 5 |
>> > I ask because prior to the GitHub incident, I didn't have signature |
| 6 |
>> > verification enabled |
| 7 |
>> |
| 8 |
>> Currently, it is not practical to change this, see my other posting. |
| 9 |
> |
| 10 |
> You clearly don't understand what it actually checks. |
| 11 |
|
| 12 |
Davyd and I were obviously speaking about the gentoo repository |
| 13 |
(the official one and the one on github which got hacked). |
| 14 |
For these repositories verification is practically not possible. |
| 15 |
(That there are also *other* repositories - with huge metadata history - |
| 16 |
which might be easier to verify is a different story). |
| 17 |
|
| 18 |
Perversely, the official comments after the hack had |
| 19 |
suggested that you should have enabled signature verification for |
| 20 |
the hacked repository which was simply practically not possible. |
Archives