2015-03-06 1:56 GMT+01:00 Rick "Zero_Chaos" Farina <[email protected]>: > > tl;dr webrsync-gpg is a built in feature of the package manager which > OPTIONALLY adds a significant amount of security against the attacks > described on your website. This is not currently the default setting, > however, it is described in many hardening guides for gentoo and widely > used among the security conscious.
On 03/06/15 08:53, Mark Kubacki wrote: > > Without numbers backing that up this is speculation. 2015-03-06 16:20 GMT+01:00 Rick "Zero_Chaos" Farina <[email protected]>: > > 5,7,16,38,42. There are some numbers to back up what I'm saying. I > have been doing security work for over 15 years and I'm a professional > pen-tester. If you want to read the portage code to verify what I said > that's fine, but I'm reasonably confident I distilled what portage does > into english. We're on the same side here. Do we have numbers showing the ratio "portage used with defaults" vs. where "[webrsync-gpg] is described in many hardening guides for gentoo and widely used among the security conscious" applies? DNS not being encrypted is just painting the whole picture. Point is, the default is that "emerge --sync" results in a transfer using RSYNC (or http). And by default you cannot compare the result with any authoritative source. -- Mark
