| 1 |
> as far as the above suggestion made by Terje is concerned You're right. |
| 2 |
> Distributed checks could easily lead to "confusion", especially working |
| 3 |
> with mirrors. But MD5 alone IS a joke when it comes to _security_ |
| 4 |
> (here: proof of origin/unmodified developer version). It's quite good |
| 5 |
> to check file corruption during data transfer. But that's it in my |
| 6 |
> eyes. If one wants secure "origin" checks there's the need for gpg |
| 7 |
> signing or something alike. Just using md5 someone who got write access |
| 8 |
> to a portage-server could easily regenerate the sum and paste it into |
| 9 |
> the ebuild including a modified SRC-URL. |
| 10 |
|
| 11 |
yeah you're right. but AFAIK are the gentoo rsync mirrors being updated every |
| 12 |
30 minutes. so if anyone is interested in putting some hacked versions in |
| 13 |
there, he could do that but will destroy every changes after mirroring the |
| 14 |
portage tree again. hmmm... but you're right!!! all people who are providing |
| 15 |
mirrors are in the position to make such things. |
| 16 |
|
| 17 |
well there are ways to do it but we have only one "master" of rsync servers so |
| 18 |
all the others will be updatet from this one. i think and hope it is this |
| 19 |
way... |
| 20 |
|
| 21 |
trust no one |
| 22 |
hanez... ;-) |
| 23 |
-- |
| 24 |
begin .signature |
| 25 |
question: is it a feature to execute code in emails? |
| 26 |
i don't think so! |
| 27 |
end |
Archives