537120 – gentoo should default to gpg validated emerge-webrsync

Bug 537120 - gentoo should default to gpg validated emerge-webrsync

Summary: gentoo should default to gpg validated emerge-webrsync

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Default Configs (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-01-20 11:13 UTC by naduss
Modified:	2015-01-20 11:38 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description naduss 2015-01-20 11:13:14 UTC

I get that there are drawbacks to not using rsync but there are always trade-offs to be made when securing something. At this point I strongly believe that there is no excuse to defaulting to installing from unvalidated sources.

Fixing this requires gnupg in stage3 and changes to the installation handbook.

Added benefit of any user inconvenience could be that fixing things for real (http://wiki.gentoo.org/wiki/GLEP:58 and moving to git) would get some visibility and therefore more helping hands.



Reproducible: Always

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-01-20 11:32:05 UTC

This is not a matter for the Security team (that deals with vulnerability handling and tracking of application in the Gentoo tree). 

You might be interested in the Gentoo Keys project[0] that works in bringing OpenPGP signatures into the handling of commits and further packages. The first release of gkeys was made just recently. 

References:
[0] https://wiki.gentoo.org/wiki/Project:Gentoo-keys

Comment 2 Alex Legler (RETIRED) archtester

2015-01-20 11:38:37 UTC

We don't need a bug for tracking this.