From: Jean-Michel Smith <jean@kcco.com>
To: Johannes Findeisen <you@hanez.org>, gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] possible trojan in openssh-3.4p1
Date: Sat, 3 Aug 2002 11:09:07 -0500 [thread overview]
Message-ID: <200208031109.07227.jean@kcco.com> (raw)
In-Reply-To: <200208020936.40432.you@hanez.org>
On Friday 02 August 2002 02:36 am, Johannes Findeisen wrote:
> if this should be a option in portage, we always need to download two files
> from two servers to check if the md5sum are the same... :-(
> IMO it is good as it is. the gentoo-core team are providing a md5sum in the
> portage tree and that should be enough.
Until it isn't, which is going to happen, sooner or later.
Ideally each developer would GPG sign their source tarballs (and have their
public keys available from several independent locations, such as
key-servers, a public key-ring available for download, and purchase on CDR).
But at the very least, Gentoo should have a public keyring available (again,
from multiple sources to insure the keyring itself hasn't been modified), and
each ebuild and digest file should be cryptographically signed. Emerge
should check those signatures and validate them before installing an ebuild.
If this issue isn't addressed in some fashion, it really only becomes a
question of time before Gentoo is trojanned via the ebuild/emerge process,
and the entire distro gets a big black eye as a result, and then addresses
these concerns anyway.
Why not do it proactively instead?
Jean.
next prev parent reply other threads:[~2002-08-03 16:09 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-08-01 8:37 [gentoo-dev] possible trojan in openssh-3.4p1 Rob Kaper
2002-08-01 8:46 ` Rob Kaper
2002-08-01 9:18 ` Vitaly Kushneriuk
2002-08-01 10:10 ` Eric Noack
2002-08-01 10:34 ` Terje Kvernes
2002-08-01 10:47 ` Rob Kaper
2002-08-01 10:56 ` Terje Kvernes
[not found] ` <200208011505.42361.bastiaf@gmx.de>
2002-08-01 13:35 ` Terje Kvernes
2002-08-01 13:39 ` Rob Kaper
2002-08-01 21:17 ` Spider
2002-08-02 7:36 ` Johannes Findeisen
2002-08-02 12:18 ` [gentoo-dev] " A.Waschbuesch
2002-08-02 12:02 ` Johannes Findeisen
2002-08-03 10:40 ` [gentoo-dev] " A.Waschbuesch
2002-08-03 16:09 ` Jean-Michel Smith [this message]
2002-08-03 17:19 ` [gentoo-dev] " A.Waschbuesch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200208031109.07227.jean@kcco.com \
--to=jean@kcco.com \
--cc=gentoo-dev@lists.gentoo.org \
--cc=you@hanez.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox