List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Dienstag 06 April 2010, Butterworth, John W. wrote:
> Hi. I have a security-related question for Portage/rsync:
> If someone makes a change to a copy of a program (say a backdoor added to
> apache) hosted on a public mirror, will the sync'ing between the public
> mirror and the main rotation mirror determine that it's corrupted (via
> 'bad' checksum) on the public-mirror side and replace it?
> Thank you in advance,
what mirror? If he changes the apache tarball on one of the distfile mirrors or
the apache mirrors that one will be caught by the ckecksum check.
If he changes the ebuild - well...