From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29858 invoked from network); 11 Nov 2004 10:57:16 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 11 Nov 2004 10:57:16 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CSCdg-0004Sr-1L for arch-gentoo-security@lists.gentoo.org; Thu, 11 Nov 2004 10:57:16 +0000 Received: (qmail 5419 invoked by uid 89); 11 Nov 2004 10:56:55 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 22952 invoked from network); 11 Nov 2004 10:56:54 +0000 From: Paul de Vrieze To: gentoo-security@lists.gentoo.org Date: Thu, 11 Nov 2004 11:56:49 +0100 User-Agent: KMail/1.7 References: <20041110020620.F1ADE2B3DB@smtp.istop.com> <41919EC1.5010809@awry.ws> <20041110135202.GQ10927@mail.lieber.org> In-Reply-To: <20041110135202.GQ10927@mail.lieber.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart11857698.MFkcrLneVY"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411111156.49996.pauldv@gentoo.org> Subject: Re: [gentoo-security] The solution and hopefully the end. X-Archives-Salt: 7888f6d8-4bab-4a66-8487-f152a5eb0cec X-Archives-Hash: da5a869eaff04223bd854d2009e3ca12 --nextPart11857698.MFkcrLneVY Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 10 November 2004 14:52, Kurt Lieber wrote: > Anyway, enough preaching. This thread has gone on long enough. The > solution that's been agreeed upon is signing the daily snapshots that > we provide for users who can't use rsync. (/snapshots directory on > your favorite source mirror) All right, repeating it is not usefull. > > This provides the ability to verify the integrity of every single file > under /usr/portage/ and requires very little changes to our existing > infrastructure. emerge-webrsync will be hacked up to provide > verification support for it. I don't have any commitments from the > portage devs that these changes will be included (emerge-webrsync is > part of portage) so this may end up being an unsupported, > use-at-your-own-risk solution. It does not take away from or alter the > plans to implement a much better, more robust verification solution in > portage itself. Well, finally some useable solution. I'm fairly confident that the portage= =20 devs will support it. I think it can be an acceptable measure until the=20 final measures are finalized. Paul > P.S. I do not want anyone to think that this solution is being > implemented because of the bitching and screaming that occurred. If > someone had posted a message to the list before all this broke out > suggesting this solution and volunteering to write the code for it, it > would be in place by now. That's another way of saying that we didn't > have to go through all this unpleasantness... ps. I'm fairly confident that all the bashing has in general been=20 counterproductive. I certainly have still about 100 mails on the mailing=20 list laying about, which I don't intend to read. I don't care much about=20 flamewars, and might certainly have missed productive suggestions. At least now there is a good temporary measure, and we can now focus on=20 how the keychain maintenance can be handled (for the final solution) =2D-=20 Paul de Vrieze Gentoo Developer Mail: pauldv@gentoo.org Homepage: http://www.devrieze.net --nextPart11857698.MFkcrLneVY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQBBk0VxbKx5DBjWFdsRAqGNAJsFBkrmmK7U9XO8+bjVL/mdW1NwrACdHL4K pKHzqvDCMHMcbYBf4OAWFYY= =uras -----END PGP SIGNATURE----- --nextPart11857698.MFkcrLneVY--