i lack the time for an in-depth coverage, but it looks like the recent security issue had a beneficial effect in that it made some more people think about the future development inside gentoo :) nice!
portage-ng requirements sheet (natural language, sure ;). it’s really time for a re-engineered, modular architecture as a) this is probably a pre-condition for any production-quality package signing feature (now: module) in portage b) modularity will improve manageability and quality assurance of portage-ng in general
gentoo release roadmap 2004
regarding the compromised rsync mirror: the attackers seem to have exploited a heap overflow in rsync (glsa: exploitable heap overflow in rsync) to gain access to the box and the recent brk() vuln to gain root privileges. (btw another nice novelty, gentoo now lists glsas on a dedicated web page. yet another thing i’ve been asking for yesterday fullfilled today. thanks! :).
now we know what kind of exploit was used [my assumption that this might well concern all of us who run gentoo was absolutely right] and which box was compromised. i think we can qualify this as “full disclosure”).
all in all: much better now, folks! :)
(see also the news on ln -s)
[note: this server always runs the most current software available. if there are any security announcements (bugtraq, full-disclosure, glsa) regarding software used on this server, i usually update the said software within minutes/hours. further, it’s hardened against some kind of attacks and constantly monitored.]