From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <you@hanez.org>
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=DMARC_MISSING,
	MAILING_LIST_MULTI,NICE_REPLY_A autolearn=unavailable
	autolearn_force=no version=4.0.0
Received: from moutvdomng0.kundenserver.de (moutvdom.kundenserver.de [195.20.224.130])
	by chiba.3jane.net (Postfix) with ESMTP id 2FC30ABD8E
	for <gentoo-dev@lists.gentoo.org>; Fri,  2 Aug 2002 09:24:39 -0500 (CDT)
Received: from [195.20.224.220] (helo=mrvdomng1.kundenserver.de)
	by moutvdomng0.kundenserver.de with esmtp (Exim 3.35 #2)
	id 17adLw-0003ms-00
	for gentoo-dev@lists.gentoo.org; Fri, 02 Aug 2002 16:24:28 +0200
Received: from [80.130.48.209] (helo=n1.hanez.org)
	by mrvdomng1.kundenserver.de with esmtp (Exim 3.35 #2)
	id 17adLw-0007o4-00
	for gentoo-dev@lists.gentoo.org; Fri, 02 Aug 2002 16:24:28 +0200
Content-Type: text/plain;
  charset="iso-8859-1"
From: Johannes Findeisen <you@hanez.org>
Organization: http://hanez.org
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Re: possible trojan in openssh-3.4p1
Date: Fri, 2 Aug 2002 14:02:49 +0200
User-Agent: KMail/1.4.2
References: <20020801103714.A26100@capsi.com> <200208020936.40432.you@hanez.org> <aidt9t$7nf$1@main.gmane.org>
In-Reply-To: <aidt9t$7nf$1@main.gmane.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200208021402.49671.you@hanez.org>
Sender: gentoo-dev-admin@gentoo.org
Errors-To: gentoo-dev-admin@gentoo.org
X-BeenThere: gentoo-dev@gentoo.org
X-Mailman-Version: 2.0.6
Precedence: bulk
List-Help: <mailto:gentoo-dev-request@gentoo.org?subject=help>
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Subscribe: <http://lists.gentoo.org/mailman/listinfo/gentoo-dev>,
	<mailto:gentoo-dev-request@gentoo.org?subject=subscribe>
List-Id: Gentoo Linux developer list <gentoo-dev.gentoo.org>
List-Unsubscribe: <http://lists.gentoo.org/mailman/listinfo/gentoo-dev>,
	<mailto:gentoo-dev-request@gentoo.org?subject=unsubscribe>
List-Archive: <http://lists.gentoo.org/pipermail/gentoo-dev/>
X-Archives-Salt: 70a75fe0-b03a-48b4-9133-4d35761339c1
X-Archives-Hash: 5a13854064443b5e2b11def0f4fee574

> as far as the above suggestion made by Terje is concerned You're right.
> Distributed checks could easily lead to "confusion", especially working
> with mirrors. But MD5 alone IS a joke when it comes to _security_
> (here: proof of origin/unmodified developer version). It's quite good
> to check file corruption during data transfer. But that's it in my
> eyes. If one wants secure "origin" checks there's the need for gpg
> signing or something alike. Just using md5 someone who got write access
> to a portage-server could easily regenerate the sum and paste it into
> the ebuild including a modified SRC-URL.

yeah you're right. but AFAIK are the gentoo rsync mirrors being updated e=
very=20
30 minutes. so if anyone is interested in putting some hacked versions in=
=20
there, he could do that but will destroy every changes after mirroring th=
e=20
portage tree again. hmmm... but you're right!!! all people who are provid=
ing=20
mirrors are in the position to make such things.

well there are ways to do it but we have only one "master" of rsync serve=
rs so=20
all the others will be updatet from this one. i think and hope it is this=
=20
way...

trust no one
hanez... ;-)
--=20
begin  .signature
question: is it a feature to execute code in emails?
=09i don't think so!
end