| 1 |
> Like I suspected there was already something similar but I hadn't found |
| 2 |
> it before. So the files/{digests} is part of the equation. And from at |
| 3 |
> least one rip in #gentoo it seems signing the packages seems silly to |
| 4 |
> some... |
| 5 |
|
| 6 |
I don't think it's silly. |
| 7 |
Because if Gentoo sings the ebuilds (and digest) my box can trust that what |
| 8 |
it will build out of the source is what the author wants it to do. It is a |
| 9 |
good way to prevent the classic man in the middle attack. I'm aware that i |
| 10 |
have to trust the keyholder and the authors of the ebuilds at all, but i |
| 11 |
don't trust my ISP and all the boxes between my box and cvs.gentoo.org. |
| 12 |
Also signing the ebuilds will enabled to trust mirrors which hold the portage |
| 13 |
tree. |
| 14 |
|
| 15 |
I think that the digest (because they are checked after the download) are |
| 16 |
intended to garantee the integrity of the tarballs. But only because of this |
| 17 |
digest i can trust the content of the mirrors. |
| 18 |
|
| 19 |
Maybe the developers are more busy with other things, but its never to early |
| 20 |
to think about security. |
| 21 |
|
| 22 |
Greetings |
| 23 |
Nils Ohlmeier |
Archives