On Tuesday 23 January 2007 12:07, Neil Bothwick wrote: > On Mon, 22 Jan 2007 18:12:07 -0800 (PST), Eric Bohn wrote: > > Using Portage you're putting yourself at the mercy of any Joe Schmoe > > with a proxy connection to a Gentoo server that wants to compromise > > your machine. > > How so? They'd have to get a compromised source tarball on the distfiles > mirrors and a hacked ebuild into the CVS tree. Getting a hacked ebuild > on the servers isn't enough, it would be replaced in no more than fifteen > minutes. > > Why is this easier than getting a compromised RPM onto a Red Hat or SUSE > server?
If you're *really* paranoid rsync twice (with a different mirror each time) then diff the package you intend to install to see if there's any suspect ebuilds. Ditto for distfiles. If in doubt compare gpg/MD5 sums with sourceforge, or the package developer's website/ftp server. Of course, you could repeat three times over and see if there's a discrepancy with the diff comparison. I mean, how much time have you available? If you can script and you're managing a critical server for the MOD, or NASA, or what not, then you could probably automate the whole process and include random selections of servers. If you go back 2-3 years I remember there was a compromise of some Gentoo mirrors and we were all reinstalling afresh. I can't remember what the systemic weakness was, or if/how it was fixed - you may be able to dig something up from the Gmane archives. Some times I feel quite relieved that I only manage a couple of boxen in my spare room. :) -- Regards, Mick
pgpAGhSPciNgn.pgp
Description: PGP signature
