[$] Signing and distributing Gentoo

Post Syndicated from jake original https://lwn.net/Articles/759467/rss

The compromise of the Gentoo’s GitHub
mirror was certainly embarrassing, but its overall impact on Gentoo users
was likely fairly limited. Gentoo and GitHub responded
quickly and forcefully
to the breach, which greatly limited the damage
that could be done; the fact that it was a mirror and not the master copy
of Gentoo’s repositories made it relatively straightforward to recover
from. But the black eye that it gave the project has led some to consider ways
to make it even harder for an attacker to add malicious content to
Gentoo—even if the distribution’s own infrastructure were to be