1 |
* Lisa Seelye <lisa@g.o>: |
2 |
> On Fri, 2003-11-21 at 21:09, Yi Qiang wrote: |
3 |
> > how "trustful" our distfile |
4 |
> > repositories really are. If indeed one is compromised it would be too |
5 |
> > easy for someone to slip a backdoor into a package, especially since I |
6 |
> > and a lot of other gentoo users simply ignore md5 checksums. |
7 |
|
8 |
Ignoring of md5 checksums is not even necessary. As a holder of a |
9 |
distfile mirror i can put a patch in the 'files' dir and generate a |
10 |
suitable md5. The user will not see that he got fooled/backdoored. And |
11 |
best: If you wait long enough (after new version) the local distfiles |
12 |
are overwritten and every evidence in /var/db/pkg is wiped out. |
13 |
|
14 |
> If the key server/signature is compromised you have gained nothing over |
15 |
> the way we have it now. Adding it is just another way for something to |
16 |
> go wrong. |
17 |
|
18 |
Yes, but as long as your key is not compromised everyone will see that |
19 |
the distfiles come from the same source. |
20 |
|
21 |
> As for users doing ebuild foo.ebuild digest blindly - that's a good way |
22 |
> to put your box at serious risk. |
23 |
|
24 |
ACK. |
25 |
|
26 |
|
27 |
So the user should be able to verify that every file didnot get altered. |
28 |
And this is only possible with signified sources. |
29 |
|
30 |
-- |
31 |
.: Torsten | Don't tell any big lies today. Small ones can be :. |
32 |
.: | just as effective. :. |
33 |
|
34 |
-- |
35 |
gentoo-dev@g.o mailing list |