| 1 |
On Sun, Nov 07, 2004 at 03:40:34PM +0000, Marc Ballarin wrote: |
| 2 |
> Well, I am no developer, but: |
| 3 |
> > (1) Do you agree that this is a problem? |
| 4 |
> |
| 5 |
> Of course. It is just in *no* way specific to Gentoo. rsync mirrors can be |
| 6 |
> compromised, but so does kernel.org, microsoft.com or any other server. |
| 7 |
> Digital signatures aren't used very often, because they are rather |
| 8 |
> difficult to handle, and can only solve the problem at one level. |
| 9 |
|
| 10 |
This is incorrect. On kernel.org, the signature files are in the same |
| 11 |
directory as the kernel source tarballs, with ".sig" on the end. |
| 12 |
|
| 13 |
RedHat's Fedora Core update mechanism checks the signature of each |
| 14 |
downloaded package, and actually warns you if the check doesn't match |
| 15 |
and asks whether you want to continue, which has happened on a number |
| 16 |
of occasions for me. |
| 17 |
|
| 18 |
Debian signs their main package tree as well, in the form of Packages and |
| 19 |
Release files. While I'm not sure whether checking this is automatic in |
| 20 |
apt, it is possible to do with a separate script, and I do use it. It |
| 21 |
works quite well after a little setup. |
| 22 |
|
| 23 |
- Chris |
| 24 |
|
| 25 |
|
| 26 |
-- |
| 27 |
gentoo-security@g.o mailing list |
Archives