2015-03-06 1:56 GMT+01:00 Rick "Zero_Chaos" Farina <[email protected]>: > > tl;dr webrsync-gpg is a built in feature of the package manager which > OPTIONALLY adds a significant amount of security against the attacks > described on your website. This is not currently the default setting, > however, it is described in many hardening guides for gentoo and widely > used among the security conscious.
Without numbers backing that up this is speculation. Given the default settings (without webrsync-gpg)…: > (8) Wrong software installation. Observe the DNS requests for the rsync- or webrsync mirror. They're not encrypted and give you a nice heads-up. A. (data in transit) It's almost never HTTPS and/or without authentication, so you can easily proceed to hijacking the connection. - Primed that way (DNS) insert a new rule into a router (or nameserver) along the path or within the DC to redirect the transaction. (See "quantum insert".) B. (data at rest) Bribe or coerce the owner of the (portage tree) mirror. Manifests and ebuilds are not centrally signed and there is no authoritative "signing transparency"/record (see "certificate transparency"). -- Mark
