View previous topic :: View next topic |
Author |
Message |
HeXiLeD Veteran
Joined: 20 Aug 2005 Posts: 1159 Location: Online
|
Posted: Mon Feb 05, 2007 1:58 pm Post subject: Secure Portage System [SOLVED] |
|
|
This has been on my mind for a long long time now, and i think it should implemented without losing more time.
The portage system should have a strong crypto to validate downloaded packages.
Today i was reading about Debian and i decided to talk about it here.
see secure-apt here
Why would we want this ?
well... lets see... to start because of arp poisoning and a few other things that can trick a user to get 'malicious packages' to the system.
From there i belive i dont need to draw the full potential implications of such possibility.(in fact i dont even to give extra ideas about it)
These days OS's are depending more and more of the web. We are almost becoming webOS's (in fact there are projects for that too) _________________ Do you hear the sound of inevitability?
With age, comes great grumpiness and that, was 20 years ago...
CertFP: becbbd161d5a5c31de3c45171b77bf710911db29 / d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244
Last edited by HeXiLeD on Thu Feb 27, 2020 11:09 am; edited 3 times in total |
|
Back to top |
|
|
didl Retired Dev
Joined: 09 Sep 2003 Posts: 1106 Location: Pittsburgh, PA
|
Posted: Mon Feb 05, 2007 2:05 pm Post subject: |
|
|
If you search through the gentoo-dev list you should find several
(long) threads about this and related issues. |
|
Back to top |
|
|
HeXiLeD Veteran
Joined: 20 Aug 2005 Posts: 1159 Location: Online
|
Posted: Mon Jan 26, 2009 1:18 am Post subject: |
|
|
I have been a bit away and lost track of this topic. What is the current status of portage regarding this topic ? _________________ Do you hear the sound of inevitability?
With age, comes great grumpiness and that, was 20 years ago...
CertFP: becbbd161d5a5c31de3c45171b77bf710911db29 / d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244 |
|
Back to top |
|
|
HeXiLeD Veteran
Joined: 20 Aug 2005 Posts: 1159 Location: Online
|
Posted: Wed Jul 23, 2014 8:11 pm Post subject: |
|
|
Almost 10 years later... (time flies...)
http://wiki.gentoo.org/wiki/GLEP:57 still no full fix ... _________________ Do you hear the sound of inevitability?
With age, comes great grumpiness and that, was 20 years ago...
CertFP: becbbd161d5a5c31de3c45171b77bf710911db29 / d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244 |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Wed Jul 23, 2014 9:11 pm Post subject: |
|
|
HeXiLeD ...
there is some movement in that direction with gentoo-keys and pyGPG. Not sure what the intention is but if commits are signed, and the keys available, then it should be possible to verify when reaching the end user.
best ... khay |
|
Back to top |
|
|
dol-sen Retired Dev
Joined: 30 Jun 2002 Posts: 2805 Location: Richmond, BC, Canada
|
Posted: Thu Jul 24, 2014 3:31 pm Post subject: |
|
|
Yes, the gentoo-keys project is underway and will hopefully have a preliminary release by the end of summer. Once it is sufficiently complete it will be used for commit verification, layman's repositories.xml list verification and all release media. To what extent portage will be modified to use it is still not known, but it will be incorporated. _________________ Brian
Porthole, the Portage GUI frontend irc@freenode: #gentoo-guis, #porthole, Blog
layman, gentoolkit, CoreBuilder, esearch... |
|
Back to top |
|
|
|