| 1 |
* Lisa Seelye <lisa@g.o>: |
| 2 |
> On Fri, 2003-11-21 at 21:09, Yi Qiang wrote: |
| 3 |
> > how "trustful" our distfile |
| 4 |
> > repositories really are. If indeed one is compromised it would be too |
| 5 |
> > easy for someone to slip a backdoor into a package, especially since I |
| 6 |
> > and a lot of other gentoo users simply ignore md5 checksums. |
| 7 |
|
| 8 |
Ignoring of md5 checksums is not even necessary. As a holder of a |
| 9 |
distfile mirror i can put a patch in the 'files' dir and generate a |
| 10 |
suitable md5. The user will not see that he got fooled/backdoored. And |
| 11 |
best: If you wait long enough (after new version) the local distfiles |
| 12 |
are overwritten and every evidence in /var/db/pkg is wiped out. |
| 13 |
|
| 14 |
> If the key server/signature is compromised you have gained nothing over |
| 15 |
> the way we have it now. Adding it is just another way for something to |
| 16 |
> go wrong. |
| 17 |
|
| 18 |
Yes, but as long as your key is not compromised everyone will see that |
| 19 |
the distfiles come from the same source. |
| 20 |
|
| 21 |
> As for users doing ebuild foo.ebuild digest blindly - that's a good way |
| 22 |
> to put your box at serious risk. |
| 23 |
|
| 24 |
ACK. |
| 25 |
|
| 26 |
|
| 27 |
So the user should be able to verify that every file didnot get altered. |
| 28 |
And this is only possible with signified sources. |
| 29 |
|
| 30 |
-- |
| 31 |
.: Torsten | Don't tell any big lies today. Small ones can be :. |
| 32 |
.: | just as effective. :. |
| 33 |
|
| 34 |
-- |
| 35 |
gentoo-dev@g.o mailing list |
Archives