on the off chance you emerge a package at a mirror that has been compromised, you would simply re-emerge the package and the update would be done.
Two things to keep in mind would be... 1) RPMs and other packages are compromised just as easily as source. And in almost every experience I've ever heard, random RPMs will have problems far before a source compile, particularly Gentoo's, but the one person I knew who uses Sorcerer said the same thing. 2) The official Gentoo mirrors rsync their portage trees daily. This means that either the entire source would be affected (which would be quickly noticed) or the compromised package would be overwritten within a day. Packages in the portage source tree should never be updated by an rsync. They should either be deleted (as old) and rewritten, or not touched. even I could write a cronjob to grep the rsync log for "updated". There may be an occasional exception when something went to or from a masked state, but that's about it, and even there, it might be wiser to simply issue a newer package and mask the new one. I'm not sure how that's done now. Kev. On April 12, 2004 10:41 pm, Aaron J. Seigo wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On April 12, 2004 11:15, nick wrote: > > later as well. Its a damn sexy tool. > > yeah, it's just too bad that they STILL don't have GPG signing of packages. > which makes the whole set-up amazingly insecure due to the distributed > nature of it all .. remember when that one gentoo mirror was compromised > last year? that's reason #1 i won't put Gentoo on any system i call my own. > > i understand they will be fixing this sometime in late spring / summer ... > but until then, excercise caution. > > - -- > Aaron J. Seigo > GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43 > while (!horse()); cart(); > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) > > iD8DBQFAe2/R1rcusafx20MRAgxPAJ9wJSn8X2ILdnGmjcbL6ere3DJHkgCeM2D0 > yIiaCRHbHVJiVMO//KNcNos= > =dVvm > -----END PGP SIGNATURE----- > > _______________________________________________ > clug-talk mailing list > [EMAIL PROTECTED] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
