On 11/04/2015 09:56 AM, Andrew Savchenko wrote: > On Sun, 1 Nov 2015 14:53:20 +0100 hasufell wrote: >>>> You shouldn't use rsync anymore, it is inherently insecure. The git >>>> tree is _properly_ gpg signed so you can verify it's correctness. >>>> >>>> With the following portage configuration/hooks, any user can run the >>>> tree directly from git: >>>> https://github.com/hasufell/portage-gentoo-git-config >>> >>> More secure by fetching metadata cache via rsync ? >>> Better by running egencache after each sync ? >>> I don't think so. >>> >> >> Yes it is. > > No, it is not. The whole git tree is insecure and no better than > rsync or CVS in terms of data security because SHA1 is vulnerable. >
Another one who is confusing _any_ collision with _preimage attack_ ;)
