Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 537120

Summary: gentoo should default to gpg validated emerge-webrsync
Product: Gentoo Security Reporter: naduss <kolsjdldddd>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED UPSTREAM    
Severity: normal CC: jaak
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description naduss 2015-01-20 11:13:14 UTC 
I get that there are drawbacks to not using rsync but there are always trade-offs to be made when securing something. At this point I strongly believe that there is no excuse to defaulting to installing from unvalidated sources.

Fixing this requires gnupg in stage3 and changes to the installation handbook.

Added benefit of any user inconvenience could be that fixing things for real (http://wiki.gentoo.org/wiki/GLEP:58 and moving to git) would get some visibility and therefore more helping hands.



Reproducible: Always
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-01-20 11:32:05 UTC 
This is not a matter for the Security team (that deals with vulnerability handling and tracking of application in the Gentoo tree). 

You might be interested in the Gentoo Keys project[0] that works in bringing OpenPGP signatures into the handling of commits and further packages. The first release of gkeys was made just recently. 

References:
[0] https://wiki.gentoo.org/wiki/Project:Gentoo-keys
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2015-01-20 11:38:37 UTC 
We don't need a bug for tracking this.