From: Johannes Findeisen <you@hanez.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Re: possible trojan in openssh-3.4p1
Date: Fri, 2 Aug 2002 14:02:49 +0200 [thread overview]
Message-ID: <200208021402.49671.you@hanez.org> (raw)
In-Reply-To: <aidt9t$7nf$1@main.gmane.org>
> as far as the above suggestion made by Terje is concerned You're right.
> Distributed checks could easily lead to "confusion", especially working
> with mirrors. But MD5 alone IS a joke when it comes to _security_
> (here: proof of origin/unmodified developer version). It's quite good
> to check file corruption during data transfer. But that's it in my
> eyes. If one wants secure "origin" checks there's the need for gpg
> signing or something alike. Just using md5 someone who got write access
> to a portage-server could easily regenerate the sum and paste it into
> the ebuild including a modified SRC-URL.
yeah you're right. but AFAIK are the gentoo rsync mirrors being updated every
30 minutes. so if anyone is interested in putting some hacked versions in
there, he could do that but will destroy every changes after mirroring the
portage tree again. hmmm... but you're right!!! all people who are providing
mirrors are in the position to make such things.
well there are ways to do it but we have only one "master" of rsync servers so
all the others will be updatet from this one. i think and hope it is this
way...
trust no one
hanez... ;-)
--
begin .signature
question: is it a feature to execute code in emails?
i don't think so!
end
next prev parent reply other threads:[~2002-08-02 14:24 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-08-01 8:37 [gentoo-dev] possible trojan in openssh-3.4p1 Rob Kaper
2002-08-01 8:46 ` Rob Kaper
2002-08-01 9:18 ` Vitaly Kushneriuk
2002-08-01 10:10 ` Eric Noack
2002-08-01 10:34 ` Terje Kvernes
2002-08-01 10:47 ` Rob Kaper
2002-08-01 10:56 ` Terje Kvernes
[not found] ` <200208011505.42361.bastiaf@gmx.de>
2002-08-01 13:35 ` Terje Kvernes
2002-08-01 13:39 ` Rob Kaper
2002-08-01 21:17 ` Spider
2002-08-02 7:36 ` Johannes Findeisen
2002-08-02 12:18 ` [gentoo-dev] " A.Waschbuesch
2002-08-02 12:02 ` Johannes Findeisen [this message]
2002-08-03 10:40 ` [gentoo-dev] " A.Waschbuesch
2002-08-03 16:09 ` [gentoo-dev] " Jean-Michel Smith
2002-08-03 17:19 ` [gentoo-dev] " A.Waschbuesch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200208021402.49671.you@hanez.org \
--to=you@hanez.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox