On Thu, 10 Aug 2017 13:33:54 +1000 "Sam Jorna (wraeth)" <wra...@gentoo.org> wrote: > > This is no greater risk than syncing from a potentially compromised > mirror. You would use a mirror you trust and, similarly (perhaps even > more so) you would use a binhost you trust.
Getting a bit ridiculous now. Let me get my tin foil hat. So your suggesting Gentoo mirrors are could be compromised? Your saying that Gentoo repo gets compromised. Which then leaks out onto mirrors. If a mirror is compromised, clearly it would not match up to other mirrors or the master Gentoo repo. All with no one in the world noticing. Not a likely scenario. Lets go down this rabbit hole. Lets say Gentoo repo was compromised. You simply look at upstream sources and their hashes. If Gentoo mirrored sources do not match up to upstream. Then you know something is wrong. Thus you have many ways to verify, pull from mirror, compare to mirror, compared to master Gentoo repo, compare to upstream. None of that can be done with a binpkg. There are no public binhost. There is no official Gentoo binhost. That is something people setup. They may trust their own binhost. But to imply that is more trust worthy than public stuff that is in more than one verifiable location against 3rd parties. That logic does not hold up. > It does raise the idea of some form of signing of the Packages file, > similar to gpg-signed portage snapshots, but that's moving well beyond > the scope of this thread. That still would never give you any 3rd party verification. Why do we not self sign certificates? Why are those not trusted? Trust tends to come from 3rd parties. Even GPG relies on a WOT, without that its pointless. An unsigned GPG key is pretty worthless. Signing stuff with that means nothing. -- William L. Thomson Jr.
Description: OpenPGP digital signature