1 |
I think this has been brought up many times before, but as most of us |
2 |
know, many of the debian servers have been compromised recently. This |
3 |
has reinstated fear into many people about how "trustful" our distfile |
4 |
repositories really are. If indeed one is compromised it would be too |
5 |
easy for someone to slip a backdoor into a package, especially since I |
6 |
and a lot of other gentoo users simply ignore md5 checksums. If a |
7 |
digest fails we simply ebuild foo.ebuild digest it again. I think an |
8 |
option should be made that would allow failing packages if gpg fails. (I |
9 |
think Redhat does something like this) This of course is not a fool |
10 |
proof way, but a big improvement over what is currently done to ensure |
11 |
package integrity. |
12 |
|
13 |
Yi |