1 |
On Wed, 18 Feb 2004 10:51:35 -0700 |
2 |
will.richey@×××××××××××××.com wrote: |
3 |
|
4 |
> emerge -u xyzzy: |
5 |
> - get source package from actual distributor, NOT GENTOO |
6 |
> - compare MD5 of that to MD5 hash in portage tree |
7 |
> - continue ebuild |
8 |
> |
9 |
> So, the MD5 hash in the portage tree comes from a different server |
10 |
> than the source package. So, the determined attacker would have to |
11 |
> control considerable more than one site. |
12 |
|
13 |
One could specify a different file to download. It wont find the file on a |
14 |
Gentoo mirror and will download it from where it is specified in the |
15 |
ebuild. Also I could care less if it actually downloads the real file. The |
16 |
ebuild could patch the code or do many other things. The ebuilds, |
17 |
packages, and patches need to be signed in some way. Then you just have to |
18 |
trust the developers and that no keys get stolen. Or you can check |
19 |
everything before you install something. |
20 |
|
21 |
|
22 |
Russell Valentine |