From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-73076-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 9088A1384B4
	for <garchives@archives.gentoo.org>; Wed,  4 Nov 2015 16:18:53 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 044AB21C015;
	Wed,  4 Nov 2015 16:18:45 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 14090E087D
	for <gentoo-dev@lists.gentoo.org>; Wed,  4 Nov 2015 16:18:43 +0000 (UTC)
Received: from [192.168.0.12] (aftr-37-201-212-73.unity-media.net [37.201.212.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: hasufell)
	by smtp.gentoo.org (Postfix) with ESMTPSA id B71F634016B
	for <gentoo-dev@lists.gentoo.org>; Wed,  4 Nov 2015 16:18:41 +0000 (UTC)
Subject: Re: [gentoo-dev] ChangeLog
To: gentoo-dev@lists.gentoo.org
References: <5636029F.1020304@gentoo.org> <5636127B.10102@gentoo.org>
 <56361381.9070609@gentoo.org> <56361493.9020606@gentoo.org>
 <20151101144719.223ec1f9@gentoo.org> <56361950.3010101@gentoo.org>
 <20151104115607.b0fda71683cab25d1a337169@gentoo.org>
From: hasufell <hasufell@gentoo.org>
Message-ID: <563A2FDC.1090801@gentoo.org>
Date: Wed, 4 Nov 2015 17:18:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.3.0
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
In-Reply-To: <20151104115607.b0fda71683cab25d1a337169@gentoo.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 5db167e5-77e6-46ab-bd5c-c938e6ae1f74
X-Archives-Hash: 5fbace51ed7d33490e56f6e938f2ac5f

On 11/04/2015 09:56 AM, Andrew Savchenko wrote:
> On Sun, 1 Nov 2015 14:53:20 +0100 hasufell wrote:
>>>> You shouldn't use rsync anymore, it is inherently insecure. The git
>>>> tree is _properly_ gpg signed so you can verify it's correctness.
>>>>
>>>> With the following portage configuration/hooks, any user can run the
>>>> tree directly from git:
>>>> https://github.com/hasufell/portage-gentoo-git-config
>>>
>>> More secure by fetching metadata cache via rsync ?
>>> Better by running egencache after each sync ?
>>> I don't think so.
>>>
>>
>> Yes it is.
> 
> No, it is not. The whole git tree is insecure and no better than
> rsync or CVS in terms of data security because SHA1 is vulnerable.
> 

Another one who is confusing _any_ collision with _preimage attack_ ;)