Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
On Mon, 2004-02-16 at 22:20, Brian Klauss wrote:
> Why not take package security one step deeper to ensure the validity
> of every ebuild and source-tree?
>
> Instead of relying upon a master hash of the compressed package,
> create a hash for each source file, documentation, makefile, etc.
Sorry, I don't see what that would give. If the md5 of the compressed
archive is fine, then we know already that it has not been tampered
with. Ergo, all contained files are fine.
(except for the theoretical possibility of md5-sum collision, which is
unlikely to an astronomical degree, and not worth worrying about in real
world)
Heikki
--
Heikki Levanto LSD - Levanto Software Development <heikki@...>
--
gentoo-security@g.o mailing list
|
|
