On 03/06/2015 09:50 AM, Mark Kubacki wrote: > We're on the same side here. > > Do we have numbers showing the ratio "portage used with defaults" vs. > where "[webrsync-gpg] is described in many hardening guides for gentoo > and widely used among the security conscious" applies? > > DNS not being encrypted is just painting the whole picture. Point is, > the default is that "emerge --sync" results in a transfer using RSYNC > (or http). > > And by default you cannot compare the result with any authoritative source. >
Ideally, we can rely on security mechanisms built into git [1], possibly involving signed commits. [1] https://github.com/gentoo/gentoo-portage-rsync-mirror -- Thanks, Zac