Hi list! Am I right that there is currently no way portage tries to verify that the rsync-mirror is not spoofed?
Doesn't that pose a major threat? If I were able to manipulate the domain name resolution, I could easily trick gentooers into making false updates and thus executing a malicious program with root-permission on their machine. So, why isn't there some kind of public key authentication going on, at least optionally? By the way: How does gentoo's gpg-feature work. The man-page doesn't contain an explanation.
signature.asc
Description: This is a digitally signed message part
