From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1H9yQh-0007HL-6o for garchives@archives.gentoo.org; Thu, 25 Jan 2007 06:49:51 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.8) with SMTP id l0P6m16n011301; Thu, 25 Jan 2007 06:48:01 GMT Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id l0P6flFj002822 for ; Thu, 25 Jan 2007 06:41:47 GMT Received: by ug-out-1314.google.com with SMTP id z38so369771ugc for ; Wed, 24 Jan 2007 22:41:47 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=j3HQ6nyafd27yOH30WAj8BzjuR0Utgo6VLXPIZbJve1KFxgsL5SPdeVG1GVSeL82wUIZA6/64812uXWeEHEAIOBuQu5lQRrWT9y5c15pCxsBWhB74qWdJqvgcY30Wz3bxdcQi1PdL2GakUO4kTAY0HJnaF6ZWwxy1vASydTndJY= Received: by 10.78.149.15 with SMTP id w15mr66742hud.1169707306524; Wed, 24 Jan 2007 22:41:46 -0800 (PST) Received: from lappy.study ( [213.162.120.196]) by mx.google.com with ESMTP id c18sm1827154hub.2007.01.24.22.41.45; Wed, 24 Jan 2007 22:41:45 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Good arguments to use Gentoo Linux? Date: Wed, 24 Jan 2007 18:42:15 +0000 User-Agent: KMail/1.9.5 References: <131821.55040.qm@web52615.mail.yahoo.com> <20070123120746.6a8bf7fe@hactar.digimed.co.uk> In-Reply-To: <20070123120746.6a8bf7fe@hactar.digimed.co.uk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart40341971.46Gi70Cy9o"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200701241842.27716.michaelkintzios@gmail.com> X-Archives-Salt: b2e0c604-5c4a-46ef-a343-979bf27e315c X-Archives-Hash: 0d7562dd9bd4dd44cdae1330f3de4db2 --nextPart40341971.46Gi70Cy9o Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 23 January 2007 12:07, Neil Bothwick wrote: > On Mon, 22 Jan 2007 18:12:07 -0800 (PST), Eric Bohn wrote: > > Using Portage you're putting yourself at the mercy of any Joe Schmoe > > with a proxy connection to a Gentoo server that wants to compromise > > your machine. > > How so? They'd have to get a compromised source tarball on the distfiles > mirrors and a hacked ebuild into the CVS tree. Getting a hacked ebuild > on the servers isn't enough, it would be replaced in no more than fifteen > minutes. > > Why is this easier than getting a compromised RPM onto a Red Hat or SUSE > server? If you're *really* paranoid rsync twice (with a different mirror each time)= =20 then diff the package you intend to install to see if there's any suspect=20 ebuilds. Ditto for distfiles. If in doubt compare gpg/MD5 sums with=20 sourceforge, or the package developer's website/ftp server. Of course, you= =20 could repeat three times over and see if there's a discrepancy with the dif= f=20 comparison. I mean, how much time have you available? If you can script a= nd=20 you're managing a critical server for the MOD, or NASA, or what not, then y= ou=20 could probably automate the whole process and include random selections of= =20 servers. If you go back 2-3 years I remember there was a compromise of some Gentoo=20 mirrors and we were all reinstalling afresh. I can't remember what the=20 systemic weakness was, or if/how it was fixed - you may be able to dig=20 something up from the Gmane archives. Some times I feel quite relieved that I only manage a couple of boxen in my= =20 spare room. :) =2D-=20 Regards, Mick --nextPart40341971.46Gi70Cy9o Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBFt6iT5Fp0QerLYPcRApfqAJ9kgMUR38pg5s6LHlBy31XJT/jwAACdG1a8 UsKFKf+22o/hu/jLCLtnik8= =6dML -----END PGP SIGNATURE----- --nextPart40341971.46Gi70Cy9o-- -- gentoo-user@gentoo.org mailing list