From: "Butterworth, John W." <jbutterworth@mitre.org>
To: "gentoo-user@lists.gentoo.org" <gentoo-user@lists.gentoo.org>
Subject: RE: [gentoo-user] Portage + checksums
Date: Wed, 7 Apr 2010 11:06:03 -0400 [thread overview]
Message-ID: <8622C222D2FC9D499533B1EEF631D39303331FA8F9@IMCMBX1.MITRE.ORG> (raw)
In-Reply-To: <20100407143507.3dca719a@toxic.dbnet>
[-- Attachment #1: Type: text/plain, Size: 1840 bytes --]
So to avoid "spamming" with 20+ Thank You emails I'll send out just one and
thank you all collectively for the information provided (I hope this isn't
rude - I'm not sure of proper protocol in this situation).
I have a lot more insight now and some new ideas of where I need to look to
learn more. This is a great community and it reflects in the OS - I don't
know why I waited so long to try Gentoo.(??)!
-john
-----Original Message-----
From: Jonas de Buhr [mailto:jonas.de.buhr@gmx.net]
Sent: Wednesday, April 07, 2010 8:35 AM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Portage + checksums
>This was an argument against Gentoo more than six or seven years ago
>with regards to the security of whole portage system.
Every package management system which uses hashes to verify integrity
has the same problems.
I think a lot of source tarballs are downloaded from the official sites
anyway. Someone really paranoid might manually check the patches.
>A number of
>suggestions were made in those early days, one of them being to sync
>with two mirrors and diff the ebuilds/Manifests/Distfiles affected by
>these two most recent syncs. As far as I know people didn't go for
>this because it was perceived that the system as implemented was
>secure enough and anyway the proposed solution would put too much
>pressure on the mirrors.
I do not have the intention to restart the discussion you mentioned.
But getting hashes and tarballs from the same source (mirror) doesn't go
far for security. At the moment I just trust the official mirrors and
trust that the community would realize soon if there were trojaned
packages the same way I trust apache or the kernel devs not to do
anything funny.
But I still like the idea of files signed with asynchr. crypt. I sure
will have a look into "FEATURES=sign".
/jdb
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3522 bytes --]
next prev parent reply other threads:[~2010-04-07 15:06 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-06 18:15 [gentoo-user] Portage + checksums Butterworth, John W.
2010-04-06 18:24 ` Albert W. Hopkins
2010-04-06 18:56 ` Butterworth, John W.
2010-04-06 20:10 ` Jonas de Buhr
2010-04-06 20:41 ` Alan McKinnon
2010-04-06 21:13 ` Paul Hartman
2010-04-06 21:26 ` Alan McKinnon
2010-04-06 21:46 ` Mark Knecht
2010-04-06 22:16 ` Alan McKinnon
2010-04-07 5:58 ` Mick
2010-04-07 12:35 ` Jonas de Buhr
2010-04-07 15:06 ` Butterworth, John W. [this message]
2010-04-08 22:58 ` Mick
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8622C222D2FC9D499533B1EEF631D39303331FA8F9@IMCMBX1.MITRE.ORG \
--to=jbutterworth@mitre.org \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox