On Sun, 1 Nov 2015 14:53:20 +0100 hasufell wrote: > >> You shouldn't use rsync anymore, it is inherently insecure. The git > >> tree is _properly_ gpg signed so you can verify it's correctness. > >> > >> With the following portage configuration/hooks, any user can run the > >> tree directly from git: > >> https://github.com/hasufell/portage-gentoo-git-config > > > > More secure by fetching metadata cache via rsync ? > > Better by running egencache after each sync ? > > I don't think so. > > > > Yes it is.
No, it is not. The whole git tree is insecure and no better than rsync or CVS in terms of data security because SHA1 is vulnerable. What we really need for security is GnuPG-signed tree. Right now we have only signed commits and pushes. This is work in progress if understand correctly current situation. Best regards, Andrew Savchenko
pgp_CjNHfYh0f.pgp
Description: PGP signature