Hi everyone, With the recent Github incident, users have (rightfully) voiced concerns about the security of their Gentoo ebuild tree. Luckily, thanks to recent efforts on the repository verification feature, we can answer "yes, it's possible to update your ebuild tree in a convenient and secure manner", but documentation about how to do it is not readily available. I've seen some of these questions only partially answered due to our own lack of knowledge on this subject as developers.
To fix this, I've been working, in the last few days, on a new "Portage Security" wiki page [1] that aims to guide the user to a secure setup and dispel doubts about the security of their setup. I would invite you to start pointing users to it when they ask questions on this matter. I'm not a very experienced developer and this has been written with the little knowledge I have, so I invite you to review and correct it if needed. Regards, Virgil Dupras [1]:https://wiki.gentoo.org/wiki/Portage_Security
pgpmnmqfeNFCi.pgp
Description: PGP signature
