From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev-return-1968-arch-gentoo-dev=gentoo.org@gentoo.org>
Received: (qmail 15504 invoked by uid 1002); 22 Mar 2003 21:14:34 -0000
Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Help: <mailto:gentoo-dev-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Received: (qmail 10714 invoked from network); 22 Mar 2003 21:14:34 -0000
From: Paul de Vrieze <gentoo-user@devrieze.net>
To: gentoo-dev@gentoo.org
Date: Sat, 22 Mar 2003 22:14:23 +0100
User-Agent: KMail/1.5
References: <43280000.1048179164@krabat.ahsoftware> <3E7BF439.9090007@netcabo.pt> <3E7C4709.3090808@komcept.com>
In-Reply-To: <3E7C4709.3090808@komcept.com>
MIME-Version: 1.0
Content-Type: multipart/signed;
  protocol="application/pgp-signature";
  micalg=pgp-sha1;
  boundary="Boundary-02=_3INf+VowQR5hDXH";
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <200303222214.31606.gentoo-user@devrieze.net>
X-Spam-Status: No, hits=-2.2 required=5.0
X-Spam-Level: 
X-Virus-Scanned: by amavisd-milter (http://amavis.org/)
Subject: [gentoo-dev] Re: [gentoo-security] Trojan for Gentoo/GNU Linux, proof of concept
X-Archives-Salt: d254db22-d33d-41da-ad7c-8fe77408746a
X-Archives-Hash: eb32a7c47e55a809718883ab20ef3004

--Boundary-02=_3INf+VowQR5hDXH
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Saturday 22 March 2003 12:20, MAL wrote:
>
> I don't think I would trust a security/paranoid only update system
> within portage, as portage will still be working with an externally
> generated list of to-do.  Building aan update locally, making sure it's
> only what you want, then packaging it, (ebuild package - tbz2 format),
> and installing it on the remote machine, is the only method i'd feel
> satisfied with.
>

I agree with your point of view. While my only "server" is a home server th=
at=20
does some printing and ip sharing stuff I do make sure I don't just update=
=20
world. I don't see the point of "running emerge -u world from cron" at all.=
=20
The best protection from instability is keeping record of the mailing lists=
,=20
and not updating what is not broken.

=46or my desktops, I even there wait with updates for packages like gcc, gl=
ibc,=20
X etc. until I believe they are actually stable in a sense that I don't hea=
r=20
about problems concerning them anymore.

Paul

=2D-=20
Paul de Vrieze
Researcher
Mail: pauldv@cs.kun.nl
Homepage: http://www.devrieze.net

--Boundary-02=_3INf+VowQR5hDXH
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA+fNI3Nb2zbbdIrucRAsysAJ0dzTe/4Nlpmq98jdqj8VJtnzMQQACeMc5o
6zzxfI7ddMMXnFglV23nS60=
=YT9Z
-----END PGP SIGNATURE-----

--Boundary-02=_3INf+VowQR5hDXH--