On 30/06/18 19:15, Rich Freeman wrote:
On Sat, Jun 30, 2018 at 9:54 AM Francisco Blas Izquierdo Riera
(klondike) <klond...@gentoo.org> wrote:
El 29/06/18 a las 18:33, Peter Humphrey escribió:
On Thursday, 28 June 2018 22:15:36 BST Francisco Blas Izquierdo Riera
(klondike) wrote:
[...]
Whilst the malicious code shouldn't work as is and GitHub has now
removed the organization, please don't use any ebuild from the GitHub
mirror ontained before 28/06/2018, 18:00 GMT until new warning.
Does this mean that we're safe to use anything from after your warning?
It means you are safe to use anything from official Gentoo sources other
than GitHub. As of now even GitHub should be okay as there was a force
push to restore the repositories.
If you are using git syncing I believe that portage will verify that
the top commit (which is the only one that really matters) is using a
trusted key if you put the following line in repos.conf for the
repository:
sync-git-verify-commit-signature = true
Obviously this only works with repositories signed by one of the Gentoo keys.
[...]
When using git to sync portage, aren't you supposed to use:
git://anongit.gentoo.org/repo/sync/gentoo.git
anyway instead of GitHub?
