From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.62)
	(envelope-from <gentoo-user+bounces-58937-garchives=archives.gentoo.org@gentoo.org>)
	id 1H9ORZ-0002bd-EX
	for garchives@archives.gentoo.org; Tue, 23 Jan 2007 16:24:22 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.8/8.13.8) with SMTP id l0NGBGi1013580;
	Tue, 23 Jan 2007 16:11:16 GMT
Received: from adamant.qrypto.org (connectioncable-084.headoff.net [217.30.222.84] (may be forged))
	by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id l0NG4b91004902
	for <gentoo-user@lists.gentoo.org>; Tue, 23 Jan 2007 16:04:37 GMT
Received: from winbook.qrypto.org (unknown [192.168.0.2])
	by adamant.qrypto.org (Postfix) with ESMTP id C4B8B296B4B
	for <gentoo-user@lists.gentoo.org>; Tue, 23 Jan 2007 18:00:51 +0200 (EET)
Date: Tue, 23 Jan 2007 18:05:28 +0200
From: Rumen Yotov <rumen@qrypto.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user]  Re: Good arguments to use Gentoo Linux?
Message-ID: <20070123180528.0ce021c2@winbook.qrypto.org>
In-Reply-To: <20070123120746.6a8bf7fe@hactar.digimed.co.uk>
References: <131821.55040.qm@web52615.mail.yahoo.com>
	<20070123120746.6a8bf7fe@hactar.digimed.co.uk>
X-Mailer: Claws Mail 2.7.1 (GTK+ 2.10.7; i686-pc-linux-gnu)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 5ba43253-245d-425d-9293-dd1729ff2af8
X-Archives-Hash: 669b237c864c5fa368560ce15ba0af87

On Tue, 23 Jan 2007 12:07:46 +0000
Neil Bothwick <neil@digimed.co.uk> wrote:

> On Mon, 22 Jan 2007 18:12:07 -0800 (PST), Eric Bohn wrote:
> 
> > Using Portage you're putting yourself at the mercy of any Joe Schmoe
> > with a proxy connection to a Gentoo server that wants to compromise
> > your machine.
> 
> How so? They'd have to get a compromised source tarball on the
> distfiles mirrors and a hacked ebuild into the CVS tree. Getting a
> hacked ebuild on the servers isn't enough, it would be replaced in no
> more than fifteen minutes.
> 
> Why is this easier than getting a compromised RPM onto a Red Hat or
> SUSE server?
> 
> 
Hi Neil,
It'll be the same when the 'new' Manifest2 format is fully implemented.
Haven't checked but you need at least ebuild&eclass GPG-signing, etc.
There was a discussion (on some Gentoo ML, IIRC 'security') a year or
more ago, some very ancient Bug was mentioned.
RPMs are signed (but check this again), BTW debs are too.
The work is going on this, but i've no info about the progress made.
HTH. Rumen
-- 
gentoo-user@gentoo.org mailing list