On Wed, 18 Feb 2004 10:51:35 -0700
will.richey@... wrote:

> emerge -u xyzzy:
>  - get source package from actual distributor, NOT GENTOO
>  - compare MD5 of that to MD5 hash in portage tree
>  - continue ebuild
> 
> So, the MD5 hash in the portage tree comes from a different server
> than the source package.  So, the determined attacker would have to
> control considerable more than one site.

One could specify a different file to download. It wont find the file on a
Gentoo mirror and will download it from where it is specified in the
ebuild. Also I could care less if it actually downloads the real file. The
ebuild could patch the code or do many other things. The ebuilds,
packages, and patches need to be signed in some way. Then you just have to
trust the developers and that no keys get stolen. Or you can check
everything before you install something.


Russell Valentine