From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1319 invoked from network); 7 Nov 2004 15:24:13 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 7 Nov 2004 15:24:13 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CQoto-0006XI-Nf for arch-gentoo-security@lists.gentoo.org; Sun, 07 Nov 2004 15:24:12 +0000 Received: (qmail 11335 invoked by uid 89); 7 Nov 2004 15:23:51 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 7509 invoked from network); 7 Nov 2004 15:23:51 +0000 Date: Sun, 7 Nov 2004 15:23:50 +0000 From: Kurt Lieber To: Chris Frey Cc: gentoo-security@lists.gentoo.org Message-ID: <20041107152350.GF10927@mail.lieber.org> Mail-Followup-To: Chris Frey , gentoo-security@lists.gentoo.org References: <418D310B.6050106@ahsoftware.de> <20041106193125.A24826@netdirect.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="usaX074wMt+SBW9H" Content-Disposition: inline In-Reply-To: <20041106193125.A24826@netdirect.ca> X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg User-Agent: Mutt/1.5.6i Subject: Re: [gentoo-security] Re: Trojan for Gentoo, part 2 X-Archives-Salt: a80b0007-2bff-45d4-975d-49a7cd47d854 X-Archives-Hash: aaaeab31fb6d42bee1b8df139011df39 --usaX074wMt+SBW9H Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline On Sat, Nov 06, 2004 at 07:31:25PM -0500 or thereabouts, Chris Frey wrote: > 1.5 years is a long time to figure out how to sign an ebuild. It puzzles > me that there is such resistence to these security steps, and not just > in Gentoo. It may have been a long time coming, but that doesn't mean there is "resistance" to implementing the security measures. It simply means that other things have taken priority up until now. I can easily use the same flawed logic and say, "well, none of our users ever bothered to submit patches to portage to implement GPG signing, so it must not be important to them." --kurt --usaX074wMt+SBW9H Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBjj4GJPpRNiftIEYRAgG2AJ9W52rIo0VX1FEWOP1Yx4t7lPJjbgCbBzNc BAEAQHF1UOdWhc+X0ZVl1A0= =jyem -----END PGP SIGNATURE----- --usaX074wMt+SBW9H--