User: Password:
|
|
Subscribe / Log in / New account

Gentoo Mitigations?

Gentoo Mitigations?

Posted Mar 24, 2011 19:35 UTC (Thu) by quentin.casasnovas (subscriber, #58238)
In reply to: Gentoo Mitigations? by alex
Parent article: Arch Linux and (the lack of) package signing

You may want to take a look at Funtoo, a "Gentoo Linux variant personally developed by Daniel Robbins, creator of Gentoo Linux" : it uses git instead of rsync to update the portage tree.


(Log in to post comments)

Gentoo Mitigations?

Posted Mar 24, 2011 23:32 UTC (Thu) by blitzkrieg3 (guest, #57873) [Link]

So what? It doesn't mean the packages are signed.

Funtoo

Posted Mar 25, 2011 10:03 UTC (Fri) by alex (subscriber, #1355) [Link]

I did look at Funtoo, unfortunately the git repo (or at least the gentoo mirror side) was just a daily snapshot of the CVS tree. That doesn't give you any confidence that the mirror hasn't been compromised.

Really you want each change to the metadata to be a discreet verifiable commit.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds