1 |
> Like I suspected there was already something similar but I hadn't found |
2 |
> it before. So the files/{digests} is part of the equation. And from at |
3 |
> least one rip in #gentoo it seems signing the packages seems silly to |
4 |
> some... |
5 |
|
6 |
I don't think it's silly. |
7 |
Because if Gentoo sings the ebuilds (and digest) my box can trust that what |
8 |
it will build out of the source is what the author wants it to do. It is a |
9 |
good way to prevent the classic man in the middle attack. I'm aware that i |
10 |
have to trust the keyholder and the authors of the ebuilds at all, but i |
11 |
don't trust my ISP and all the boxes between my box and cvs.gentoo.org. |
12 |
Also signing the ebuilds will enabled to trust mirrors which hold the portage |
13 |
tree. |
14 |
|
15 |
I think that the digest (because they are checked after the download) are |
16 |
intended to garantee the integrity of the tarballs. But only because of this |
17 |
digest i can trust the content of the mirrors. |
18 |
|
19 |
Maybe the developers are more busy with other things, but its never to early |
20 |
to think about security. |
21 |
|
22 |
Greetings |
23 |
Nils Ohlmeier |