| 1 |
I think this has been brought up many times before, but as most of us |
| 2 |
know, many of the debian servers have been compromised recently. This |
| 3 |
has reinstated fear into many people about how "trustful" our distfile |
| 4 |
repositories really are. If indeed one is compromised it would be too |
| 5 |
easy for someone to slip a backdoor into a package, especially since I |
| 6 |
and a lot of other gentoo users simply ignore md5 checksums. If a |
| 7 |
digest fails we simply ebuild foo.ebuild digest it again. I think an |
| 8 |
option should be made that would allow failing packages if gpg fails. (I |
| 9 |
think Redhat does something like this) This of course is not a fool |
| 10 |
proof way, but a big improvement over what is currently done to ensure |
| 11 |
package integrity. |
| 12 |
|
| 13 |
Yi |
Archives