Hi list!
Am I right that there is currently no way portage tries to verify that
the rsync-mirror is not spoofed?
Doesn't that pose a major threat? If I were able to manipulate the
domain name resolution, I could easily trick gentooers into making false
updates and thus executing a malicious program with root-permission on
their machine.
So, why isn't there some kind of public key authentication going on, at
least optionally?
By the way: How does gentoo's gpg-feature work. The man-page doesn't
contain an explanation.
Am I right that there is currently no way portage tries to verify that
the rsync-mirror is not spoofed?
Doesn't that pose a major threat? If I were able to manipulate the
domain name resolution, I could easily trick gentooers into making false
updates and thus executing a malicious program with root-permission on
their machine.
So, why isn't there some kind of public key authentication going on, at
least optionally?
By the way: How does gentoo's gpg-feature work. The man-page doesn't
contain an explanation.