Robert Buchholz wrote on 03/20/2008 02:07 PM:
(CVS, core gentoo infra) and then check it on the user side. If you want to do this right now, you can change your tree syncing to manually download the gpg-signed portage-latest.tar.bz2 tree snapshots from your local distfiles mirror and check them.
emerge-webrsync can do the downloading for you. The current version in svn [1] should also be able to handle the verification, just note that the key id changed to 239C75C4 [2].
Regards, Matthias[1] <http://sources.gentoo.org/viewcvs.py/portage/main/trunk/bin/emerge-webrsync?view=markup>
[2] <http://bugs.gentoo.org/show_bug.cgi?id=130039> -- Matthias Geerdsen (vorlon) Gentoo Linux Security Team http://security.gentoo.org
signature.asc
Description: OpenPGP digital signature
