1 |
On Sun, Nov 07, 2004 at 03:40:34PM +0000, Marc Ballarin wrote: |
2 |
> Well, I am no developer, but: |
3 |
> > (1) Do you agree that this is a problem? |
4 |
> |
5 |
> Of course. It is just in *no* way specific to Gentoo. rsync mirrors can be |
6 |
> compromised, but so does kernel.org, microsoft.com or any other server. |
7 |
> Digital signatures aren't used very often, because they are rather |
8 |
> difficult to handle, and can only solve the problem at one level. |
9 |
|
10 |
This is incorrect. On kernel.org, the signature files are in the same |
11 |
directory as the kernel source tarballs, with ".sig" on the end. |
12 |
|
13 |
RedHat's Fedora Core update mechanism checks the signature of each |
14 |
downloaded package, and actually warns you if the check doesn't match |
15 |
and asks whether you want to continue, which has happened on a number |
16 |
of occasions for me. |
17 |
|
18 |
Debian signs their main package tree as well, in the form of Packages and |
19 |
Release files. While I'm not sure whether checking this is automatic in |
20 |
apt, it is possible to do with a separate script, and I do use it. It |
21 |
works quite well after a little setup. |
22 |
|
23 |
- Chris |
24 |
|
25 |
|
26 |
-- |
27 |
gentoo-security@g.o mailing list |