| |||||||||||||
Gentoo Mitigations?Gentoo Mitigations?Posted Mar 24, 2011 19:35 UTC (Thu) by quentin.casasnovas (subscriber, #58238)In reply to: Gentoo Mitigations? by alex Parent article: Arch Linux and (the lack of) package signing
You may want to take a look at Funtoo, a "Gentoo Linux variant personally developed by Daniel Robbins, creator of Gentoo Linux" : it uses git instead of rsync to update the portage tree.
(Log in to post comments)
Gentoo Mitigations? Posted Mar 24, 2011 23:32 UTC (Thu) by blitzkrieg3 (subscriber, #57873) [Link]
So what? It doesn't mean the packages are signed.
Funtoo Posted Mar 25, 2011 10:03 UTC (Fri) by alex (subscriber, #1355) [Link]
I did look at Funtoo, unfortunately the git repo (or at least the gentoo mirror side) was just a daily snapshot of the CVS tree. That doesn't give you any confidence that the mirror hasn't been compromised.
Really you want each change to the metadata to be a discreet verifiable commit.
|
|||||||||||||