On Thu, 10 Aug 2017 13:33:54 +1000
"Sam Jorna (wraeth)" <wra...@gentoo.org> wrote:
> This is no greater risk than syncing from a potentially compromised
> mirror. You would use a mirror you trust and, similarly (perhaps even
> more so) you would use a binhost you trust.

Getting a bit ridiculous now. Let me get my tin foil hat.

So your suggesting Gentoo mirrors are could be compromised? Your saying
that Gentoo repo gets compromised. Which then leaks out onto mirrors. If
a mirror is compromised, clearly it would not match up to other mirrors
or the master Gentoo repo. All with no one in the world noticing. Not a
likely scenario.

Lets go down this rabbit hole. Lets say Gentoo repo was compromised.
You simply look at upstream sources and their hashes. If Gentoo
mirrored sources do not match up to upstream. Then you know something
is wrong.

Thus you have many ways to verify, pull from mirror, compare to mirror,
compared to master Gentoo repo, compare to upstream. None of that can
be done with a binpkg. There are no public binhost. There is no
official Gentoo binhost. That is something people setup.

They may trust their own binhost. But to imply that is more trust
worthy than public stuff that is in more than one verifiable location
against 3rd parties. That logic does not hold up.

> It does raise the idea of some form of signing of the Packages file,
> similar to gpg-signed portage snapshots, but that's moving well beyond
> the scope of this thread.

That still would never give you any 3rd party verification. Why do we
not self sign certificates? Why are those not trusted? Trust tends to
come from 3rd parties.

Even GPG relies on a WOT, without that its pointless. An unsigned GPG
key is pretty worthless. Signing stuff with that means nothing.

William L. Thomson Jr.

Attachment: pgpcIWBAlyNQk.pgp
Description: OpenPGP digital signature

Reply via email to