(1) Run "find /usr/portage -type f | xargs sha1sum -b" on
the Gentoo main system.
(2) Sign the output with GPG.
(3) Put it into the portage tree.
(4) If the user has GPG installed and has manually put the
appropriate public key in some place _outside_ of the
portage tree, have "emerge sync" verify that the
signature is intact and all hashes hold.
(5) Missing files in the tree are okay (rsync_excludes),
files in the tree which do not have a hash are not okay.
--
gentoo-security@gentoo.org mailing list
the Gentoo main system.
(2) Sign the output with GPG.
(3) Put it into the portage tree.
(4) If the user has GPG installed and has manually put the
appropriate public key in some place _outside_ of the
portage tree, have "emerge sync" verify that the
signature is intact and all hashes hold.
(5) Missing files in the tree are okay (rsync_excludes),
files in the tree which do not have a hash are not okay.
--
gentoo-security@gentoo.org mailing list