List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Mon, 2004-02-16 at 22:20, Brian Klauss wrote:
> Why not take package security one step deeper to ensure the validity
> of every ebuild and source-tree?
> Instead of relying upon a master hash of the compressed package,
> create a hash for each source file, documentation, makefile, etc.
Sorry, I don't see what that would give. If the md5 of the compressed
archive is fine, then we know already that it has not been tampered
with. Ergo, all contained files are fine.
(except for the theoretical possibility of md5-sum collision, which is
unlikely to an astronomical degree, and not worth worrying about in real
Heikki Levanto LSD - Levanto Software Development <heikki@...>
email@example.com mailing list