From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NzOK5-0002CZ-PU for garchives@archives.gentoo.org; Wed, 07 Apr 2010 06:01:10 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 79712E0D07; Wed, 7 Apr 2010 05:58:58 +0000 (UTC) Received: from ey-out-1920.google.com (ey-out-1920.google.com [74.125.78.148]) by pigeon.gentoo.org (Postfix) with ESMTP id 10E7FE0D07 for ; Wed, 7 Apr 2010 05:58:57 +0000 (UTC) Received: by ey-out-1920.google.com with SMTP id 26so64898eyw.40 for ; Tue, 06 Apr 2010 22:58:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:reply-to:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=SIRL48V3YvJd2T/jBWB+A+SAHxaBwXWLcZF5e5jr1P4=; b=BqTdVHalUCoVIpIx/+V5K3AmGpJ0APsuto+4un/Ll2EytBUn44iYsVf3SLjqb9gbg3 Ij9LGIPdSOqfrAqTJzi20C6Lr4ACXcXK+Ekx1QKEIKta8U8aR0WKW/wQb61GdeZpSjtx iNzCPVUSKHAzHGvEHZBWd53agBgmU0fqIBhi0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; b=kFFKfKp0/OEkBBYuqBRdXYKW1DzS0MZF5z8cEe8P3Q4r6d5frbD27RsTKbvyk+m4rd IGDwxW+2j9+dpwjsnFx9ev3saPve3uF7NXdqPOT4LYFfQYfOzyTvG4z9DnzHgdq3xwUQ 06EofuPRPZsyhhVW5RLAMAmtBiO0xkjWwOzMc= Received: by 10.213.75.11 with SMTP id w11mr4869964ebj.82.1270619937370; Tue, 06 Apr 2010 22:58:57 -0700 (PDT) Received: from (230.3.169.217.in-addr.arpa [217.169.3.230]) by mx.google.com with ESMTPS id 15sm7776611ewy.8.2010.04.06.22.58.56 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 06 Apr 2010 22:58:56 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Portage + checksums Date: Wed, 7 Apr 2010 06:58:36 +0100 User-Agent: KMail/1.12.4 (Linux/2.6.32-gentoo-r8; KDE/4.3.5; x86_64; ; ) References: <8622C222D2FC9D499533B1EEF631D3930332DB4A02@IMCMBX1.MITRE.ORG> <201004070016.13793.alan.mckinnon@gmail.com> In-Reply-To: <201004070016.13793.alan.mckinnon@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart34354672.YPj8RCQe0Y"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201004070658.55487.michaelkintzios@gmail.com> X-Archives-Salt: 0c42731e-0992-4478-9184-7b41fa5f9955 X-Archives-Hash: c75f44bfc5dbe0a28e620a2ebd190f3f --nextPart34354672.YPj8RCQe0Y Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Tuesday 06 April 2010 23:16:13 Alan McKinnon wrote: > On Tuesday 06 April 2010 23:46:48 Mark Knecht wrote: > > On Tue, Apr 6, 2010 at 2:26 PM, Alan McKinnon > > wrote: > > > > > FEATURES=3Dsign > > > > > > "man 5 make.conf" implies that the dev signs the Manifest by checking > > > something into the tree using repoman. Presumably, the user either has > > > to fetch the public key or portage includes it in the tree. But > > > documentation in the man pages is sparse, I can't find an explanation > > > of how it should work. > > > > > > > > > -- > > > alan dot mckinnon at gmail dot com > > > > Do you use it? >=20 > Without logging into the mirror host and checking, I really couldn't say.= I > mirror what I get from gentoo.org with no alterations. >=20 > I don't use the feature locally on any of my own boxes. This was an argument against Gentoo more than six or seven years ago with=20 regards to the security of whole portage system. A number of suggestions w= ere=20 made in those early days, one of them being to sync with two mirrors and di= ff=20 the ebuilds/Manifests/Distfiles affected by these two most recent syncs. A= s=20 far as I know people didn't go for this because it was perceived that the=20 system as implemented was secure enough and anyway the proposed solution wo= uld=20 put too much pressure on the mirrors. BTW, there was some compromise of a mirror in those early days and a lot (w= ell=20 may be a few back then) people had to reinstall because their boxen were=20 compromised, or thought that they might have been! If you google you may find something lurking around from the long arguments= =20 that took place and what the D.Robbins said. =2D-=20 Regards, Mick --nextPart34354672.YPj8RCQe0Y Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEABECAAYFAku8Hx8ACgkQVTDTR3kpaLaf7wCg7thOQue7RAygVmTkTX50piTQ 4iUAoPxtVEaPLv97NGZWHjw9JMC1hcoA =sG9x -----END PGP SIGNATURE----- --nextPart34354672.YPj8RCQe0Y--