https://bugs.gentoo.org/show_bug.cgi?id=597804
the gentoo meme is finished
remove the pinned post mods
>>57308419
good. it's about time this meme died.
>>57308419
tl;dr- packages (meaning both unprivileged apps and system services) are downloaded over an insecure, easily MITM-able connection. Digital signatures are available and are downloaded, and the fact that they are downloaded is presented to the user. The user therefore believes that their updates are being verified.
However these signatures are NOT actually being verified by Gentoo.
Possible solutions:
* Only use a secure connection to downloads the updates
* Always verify the digital signatures of the updates
* Preferably, both
This is unlikely to have a wide impact, because nobody in their right mind uses Gentoo in production (ChromeOS is based on it, but has its own security mechanisms) and nobody is interested in MITMing neckbeards' chinkpads.
>>57308698
>damage control
>>57308742
? I'm not defending it all. It's clearly been designed by people with absolutely no clue what they're doing when it comes to security. It's a joke.
Why would anyone submit themselves to this shit when Funtoo exists?
remember when we used to make fun of arch for not signing the package list? like 5 years ago?
Why the fuck are they not using git yet.
>>57309311
You can.