1 |
> as far as the above suggestion made by Terje is concerned You're right. |
2 |
> Distributed checks could easily lead to "confusion", especially working |
3 |
> with mirrors. But MD5 alone IS a joke when it comes to _security_ |
4 |
> (here: proof of origin/unmodified developer version). It's quite good |
5 |
> to check file corruption during data transfer. But that's it in my |
6 |
> eyes. If one wants secure "origin" checks there's the need for gpg |
7 |
> signing or something alike. Just using md5 someone who got write access |
8 |
> to a portage-server could easily regenerate the sum and paste it into |
9 |
> the ebuild including a modified SRC-URL. |
10 |
|
11 |
yeah you're right. but AFAIK are the gentoo rsync mirrors being updated every |
12 |
30 minutes. so if anyone is interested in putting some hacked versions in |
13 |
there, he could do that but will destroy every changes after mirroring the |
14 |
portage tree again. hmmm... but you're right!!! all people who are providing |
15 |
mirrors are in the position to make such things. |
16 |
|
17 |
well there are ways to do it but we have only one "master" of rsync servers so |
18 |
all the others will be updatet from this one. i think and hope it is this |
19 |
way... |
20 |
|
21 |
trust no one |
22 |
hanez... ;-) |
23 |
-- |
24 |
begin .signature |
25 |
question: is it a feature to execute code in emails? |
26 |
i don't think so! |
27 |
end |