One mitigation would be move from rsync'ing the portage tree (which I believe is still held in CVS) to using a git tree instead. At least this way you can be sure* the metadata hasn't been tampered with between syncs. Of course you still depend on the developer doing due diligence on the first tree.
I'm not sure if the nature of the distribution (being source based) widens or narrows the attack surface.
* YMMV, I don't believe anyone has managed an attack on a git repo yet.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds