From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-security-return-1679-arch-gentoo-security=gentoo.org@lists.gentoo.org>
Received: (qmail 20399 invoked from network); 11 Nov 2004 20:20:39 +0000
Received: from smtp.gentoo.org (156.56.111.197)
  by lists.gentoo.org with AES256-SHA encrypted SMTP; 11 Nov 2004 20:20:39 +0000
Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org)
	by smtp.gentoo.org with esmtp (Exim 4.41)
	id 1CSLQs-0002o3-KD
	for arch-gentoo-security@lists.gentoo.org; Thu, 11 Nov 2004 20:20:38 +0000
Received: (qmail 19238 invoked by uid 89); 11 Nov 2004 20:20:17 +0000
Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-security@gentoo.org>
List-Help: <mailto:gentoo-security-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Received: (qmail 27551 invoked from network); 11 Nov 2004 20:20:16 +0000
Date: Thu, 11 Nov 2004 20:20:16 +0000
From: Kurt Lieber <klieber@gentoo.org>
To: gentoo-security@lists.gentoo.org
Message-ID: <20041111202016.GL10927@mail.lieber.org>
Mail-Followup-To: gentoo-security@lists.gentoo.org
References: <opshbdknbu8y4is6@damnpenguin> <Pine.LNX.4.60.0411111219040.8506@hosting2.blondetribe.net> <FA7F9167-3419-11D9-BE4D-000A958C5792@firstaidmusic.com> <200411111355.05847.tradergt@smelser.org> <010401c4c82a$98d39040$2203010a@gcombe>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="wipJIL0eEqw62gjk"
Content-Disposition: inline
In-Reply-To: <010401c4c82a$98d39040$2203010a@gcombe>
X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg
User-Agent: Mutt/1.5.6i
Subject: Re: [gentoo-security] Maybe a new approach?
X-Archives-Salt: ce12920d-d875-4c77-bb0e-856705ef7130
X-Archives-Hash: 00b887404339e80e4231b39f9cf15d01

--wipJIL0eEqw62gjk
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Nov 11, 2004 at 01:11:15PM -0700 or thereabouts, Glen Combe wrote:
> Kurt can you clarify this for me or give me more detail...   on what you
> mean what you say below?   What is the more robust solution?  I dont reca=
ll
> reading it here?
>=20
> "The solution that Peter is requesting (generating hashes of files not
> already hashed and then signing all Manifests/hashes) is considerably more
> risky and is not something I will implement since we have a more robust,
> better solution in the works already."

It's been mentioned numerous times.  The strategic approach to fixing this
issue is taking the work we've already put into signed manifests and
extending it to cover other files as well (eclasses, profiles, etc.)  There
is an open RFE bug for this and Jason (one of our portage devs) has already
said they're working on it. =20

--kurt

--wipJIL0eEqw62gjk
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBk8mAJPpRNiftIEYRAuvwAJ9opdEg6DZCfgMncmci3XAew7WtSgCfZX9v
nl6amlzJA/jFmKGhaAIqbRw=
=azfg
-----END PGP SIGNATURE-----

--wipJIL0eEqw62gjk--