On 28-02-2018 12:34:31 -0600, R0b0t1 wrote: > Can you not use webrsync-gpg for the time being?
I'm affraid not, we do "sign" the snapshots, but they are just tarred up versions of the rsync tree as generated. The same tree we're talking about here. > Incremental updates of authenticated files would be best, but until > that can be done in a completely foolproof way I would wait so as to > not give yourself a false sense of security. Honestly I never understood why Portage doesn't just verify the paths to the ebuilds it eventually wants to install. Anyway, for me the goal is to get some sense of verification, the ultimate sense of security is kind of pointless, since you can point it at any random host, and any random joe can generate any random, but valid(ating) tree. Fabian -- Fabian Groffen Gentoo on a different level
signature.asc
Description: PGP signature