Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Why not take package security one step deeper to
ensure the validity of every ebuild and source-tree? </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Instead of relying upon a master hash of the
compressed package, create a hash for each source file, documentation, makefile,
etc., and as part of the emerge process, the application validates the
compressed hash, then looks at each decompressed file and compares the hash
value of it against a master repository.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Once everything checks out, we then guarantee that
the compressed package and all related source files are true to the source as it
was created since the master hash tables are contained in the master repository
instead of within the compressed file (which can be altered).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Just an idea, and if I am way off, let me
know.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Brian...</FONT></DIV></BODY></HTML>
|
|
