On Tue, 24 Mar 2009 13:55:13 +0200
mmacleod@... wrote:
> > > <snip>
> > I'm not sure if this is doable, but not using hashes would be great.
> The discussion on the bugzilla page is a must read in order to
> discuss this properly, it also explains why using a hash for this is
> necessary https://bugs.gentoo.org/150031
I'll look at it, thanks.
> > > The second kind of hash that I am talking about now is a security
> > > hash computed over the final package file. By having multiple
> > > users compile the package and generate a security hash of it one
> > > can ensure(within reasonable doubt) that the package has not been
> > > tampered with by the contributor, by for example adding a rootkit
> > > to the source code.
> > As far as I know, tar is used. If times or anything like that are
> > saved in the tarball, you can forget to reproduce a tarball with
> > the same hash. Also, sometimes the time and date when it was
> > compiled is saved in the binary. So, either I don't understand you,
> > or it just will not work.
> While some hash algorithms do take file modification time into
> account this is certainly not necessary at all, and in this case a
> hash algorithm that does not take file modification time into account
> would definitely be used.
I was talking about modification times saved in the tarball, not the
modification times of the tarball. In that case, you would need to
unpack the package and hash all files in it. But to create a general
hash algorithm that hashes compressed tar files and does not take into
account any times and dates is impractical, if not impossible to do it
so that it makes sense.
> Having most things available as binaries certainly beats having none
> or very few.
The same is true for different CFLAGS, ARCHes and USE-flag
combinations. :-D
Philipp
|
