On Mon, Jun 29, 2020, at 9:34 PM, Zac Medico wrote:
> On 6/29/20 7:15 PM, Sid Spry wrote:
> > On Mon, Jun 29, 2020, at 9:13 PM, Sid Spry wrote:
> >> Hello,
> >>
> >> I have some runnable pseudocode outlining a faster tree verification 
> >> algorithm.
> > 
> > Ah, right. It's worth noting that even faster than this algorithm is simply 
> > verifying
> > a .tar.xz. Is that totally off the table? I realize it doesn't fit every 
> > usecase, but it
> > seems to be faster in both sync and verification time.
> 
> We've already got support for that with sync-type = webrsync. However, I
> imagine sync-type = git is even better. All of the types are covered here:
> 
> https://wiki.gentoo.org/wiki/Portage_Security

I'm being warned right now that webrsync-gpg is being deprecated; I've been 
using
it. It is, amazingly, faster than a typical rsync and may be faster than a git 
pull though.

The issue with git is there are some analyses that indicate you shouldn't rely 
on git
for integrity, so you are back to verifying the tree on-disk, which is slower 
than
verifying the .tar.xz.

(To clarify: Even with signed commits the commit hashes could be attacked and 
this
is considered somewhat feasible.)

Reply via email to