From: Mark Kubacki <wmark@hurrikane.de>
To: gentoo-portage-dev@lists.gentoo.org
Subject: Re: [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers
Date: Fri, 6 Mar 2015 18:50:30 +0100 [thread overview]
Message-ID: <CAHw5crJLAFBJr5HGgm2wkW_t53qd-8r3xtfdWxNr-J3fGQNM7A@mail.gmail.com> (raw)
In-Reply-To: <54F9C5BB.7000108@gentoo.org>
2015-03-06 1:56 GMT+01:00 Rick "Zero_Chaos" Farina <zerochaos@gentoo.org>:
>
> tl;dr webrsync-gpg is a built in feature of the package manager which
> OPTIONALLY adds a significant amount of security against the attacks
> described on your website. This is not currently the default setting,
> however, it is described in many hardening guides for gentoo and widely
> used among the security conscious.
On 03/06/15 08:53, Mark Kubacki wrote:
>
> Without numbers backing that up this is speculation.
2015-03-06 16:20 GMT+01:00 Rick "Zero_Chaos" Farina <zerochaos@gentoo.org>:
>
> 5,7,16,38,42. There are some numbers to back up what I'm saying. I
> have been doing security work for over 15 years and I'm a professional
> pen-tester. If you want to read the portage code to verify what I said
> that's fine, but I'm reasonably confident I distilled what portage does
> into english.
We're on the same side here.
Do we have numbers showing the ratio "portage used with defaults" vs.
where "[webrsync-gpg] is described in many hardening guides for gentoo
and widely used among the security conscious" applies?
DNS not being encrypted is just painting the whole picture. Point is,
the default is that "emerge --sync" results in a transfer using RSYNC
(or http).
And by default you cannot compare the result with any authoritative source.
--
Mark
next prev parent reply other threads:[~2015-03-06 17:51 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-05 14:49 [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers Patrick Schleizer
2015-03-05 15:30 ` Rick "Zero_Chaos" Farina
2015-03-05 19:14 ` Patrick Schleizer
2015-03-06 0:56 ` Rick "Zero_Chaos" Farina
2015-03-06 13:53 ` Mark Kubacki
2015-03-06 15:20 ` Rick "Zero_Chaos" Farina
2015-03-06 16:13 ` Brian Dolbec
2015-03-06 17:50 ` Mark Kubacki [this message]
2015-03-07 23:26 ` Zac Medico
2015-03-08 1:24 ` Brian Dolbec
2015-03-08 2:31 ` Zac Medico
2015-03-08 5:44 ` Brian Dolbec
2015-03-08 14:59 ` Patrick Schleizer
2015-03-08 20:10 ` Zac Medico
2015-03-08 15:02 ` Mark Kubacki
2015-03-08 21:02 ` Zac Medico
2015-03-06 15:43 ` Patrick Schleizer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHw5crJLAFBJr5HGgm2wkW_t53qd-8r3xtfdWxNr-J3fGQNM7A@mail.gmail.com \
--to=wmark@hurrikane.de \
--cc=gentoo-portage-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox