Am 23.10.2011 09:49, schrieb Mick: > On Saturday 22 Oct 2011 22:30:45 Volker Armin Hemmann wrote: >> Am Samstag 22 Oktober 2011, 18:14:32 schrieb Nikos Chantziaras: >>> On 10/22/2011 05:07 PM, Adam Carter wrote: >>>>> there aren't any Linux viruses, >>>> >>>> Except for the ones listed on the page below, which is probably >>>> incomplete. http://en.wikipedia.org/wiki/Linux_malware >>>> >>>> But yeah, on a linux desktop (especially a Gentoo one) you don't need >>>> a virus scanner. Yet. >>> >>> There are literally *millions* of Windows viruses. The Wikipedia page >>> just proves Linux has virtually no viruses, and those listed don't even >>> work anymore (exploits have been patched long ago.) Most existing Linux >>> malware targets servers (like PHP software exploits in forums, wikis, >>> etc) and desktop users don't need to worry. >>> >>> Furthermore, even if there were enough Linux viruses to worry about, >>> there isn't a good way of getting infected. On Windows, you download >>> random executables from the net. On Gentoo, you install your stuff >>> through portage. It's nearly impossible to get infected. >> >> except when someone puts up or takes over a rsync server and starts >> providing malicious ebuilds. >> >> >> Hilarious. > > Isn't that what happened back in 2003/04? I can't recall exactly but there > was some discussion where it was suggested that clients should rsync against > two different mirrors and diff the portage contents (or hashes thereof?), > before > accepting the sync result.
That still doesn't protect you against man-in-the-middle attacks or an attack against the CVS tree (like the recent kernel.org disaster). Signing the manifest files is really the only reasonable solution. Good thing there seems to be some progress in that direction: https://bugs.gentoo.org/show_bug.cgi?id=360363 Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature
