On Tue, 23 Jan 2007 12:07:46 +0000 Neil Bothwick <[EMAIL PROTECTED]> wrote:
> On Mon, 22 Jan 2007 18:12:07 -0800 (PST), Eric Bohn wrote: > > > Using Portage you're putting yourself at the mercy of any Joe Schmoe > > with a proxy connection to a Gentoo server that wants to compromise > > your machine. > > How so? They'd have to get a compromised source tarball on the > distfiles mirrors and a hacked ebuild into the CVS tree. Getting a > hacked ebuild on the servers isn't enough, it would be replaced in no > more than fifteen minutes. > > Why is this easier than getting a compromised RPM onto a Red Hat or > SUSE server? > > Hi Neil, It'll be the same when the 'new' Manifest2 format is fully implemented. Haven't checked but you need at least ebuild&eclass GPG-signing, etc. There was a discussion (on some Gentoo ML, IIRC 'security') a year or more ago, some very ancient Bug was mentioned. RPMs are signed (but check this again), BTW debs are too. The work is going on this, but i've no info about the progress made. HTH. Rumen -- gentoo-user@gentoo.org mailing list
