1 |
Rich Freeman <rich0@g.o> wrote: |
2 |
> On Sat, Jul 7, 2018 at 1:51 AM Martin Vaeth <martin@×××××.de> wrote: |
3 |
>> Davyd McColl <davydm@×××××.com> wrote: |
4 |
>> |
5 |
>> > I ask because prior to the GitHub incident, I didn't have signature |
6 |
>> > verification enabled |
7 |
>> |
8 |
>> Currently, it is not practical to change this, see my other posting. |
9 |
> |
10 |
> You clearly don't understand what it actually checks. |
11 |
|
12 |
Davyd and I were obviously speaking about the gentoo repository |
13 |
(the official one and the one on github which got hacked). |
14 |
For these repositories verification is practically not possible. |
15 |
(That there are also *other* repositories - with huge metadata history - |
16 |
which might be easier to verify is a different story). |
17 |
|
18 |
Perversely, the official comments after the hack had |
19 |
suggested that you should have enabled signature verification for |
20 |
the hacked repository which was simply practically not possible. |