| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On July 19, 2002 05:20 am, Nils Decker wrote: |
| 5 |
> > > propose or take it from the distribution system. Basically the |
| 6 |
> > > same as ccache ;-) |
| 7 |
> > |
| 8 |
> > I like the idea. I was thinking of something similar. |
| 9 |
> > I think it's possible to hash the use flags used to build |
| 10 |
> > the package and compare it to the package to be downloaded. |
| 11 |
> |
| 12 |
> I see another problem with this. There is no way to make the packages |
| 13 |
> trusted. In the portage tree, every downloaded file is checked against a |
| 14 |
> MD5 hash. This means, I have to trust the person who build the port. This |
| 15 |
> is not a big problem to me, because those people are "near" to the gentoo |
| 16 |
> core, and everybody can check the MD5s against the official downloads of |
| 17 |
> the packet. |
| 18 |
> |
| 19 |
> I can't do this sort of check agains precompiled binaries, because every |
| 20 |
> binary would have a different MD5. The only way to check would to compile |
| 21 |
> the package myself with the same flags, thus defeating the purpose. |
| 22 |
> Using those binary packages means to trust every user of gentoo, that he |
| 23 |
> doesn't put trojans or whatever on my system. |
| 24 |
|
| 25 |
The MD5 hash verification is only providing proof that the file you've |
| 26 |
transferred between the distribution server and your PC was the same intended |
| 27 |
by the server on which you did your rsync of the digest files. |
| 28 |
|
| 29 |
You actually implicitely trust that whoever put the digest files inside the |
| 30 |
rsync server used "correct" sources tarballs, you could verify that but the |
| 31 |
process is kind of lenghty as it would be for a binary check too. |
| 32 |
|
| 33 |
And now because there may be multiple rsync server, that trust is getting less |
| 34 |
and less meaningful. |
| 35 |
|
| 36 |
To fix that, one would have to actually use the same PGP signature of the |
| 37 |
package as the one provided on the original distribution site from the |
| 38 |
original author. |
| 39 |
|
| 40 |
- -- |
| 41 |
|
| 42 |
Yannick Koehler |
| 43 |
|
| 44 |
-----BEGIN PGP SIGNATURE----- |
| 45 |
Version: GnuPG v1.0.6 (GNU/Linux) |
| 46 |
Comment: For info see http://www.gnupg.org |
| 47 |
|
| 48 |
iD8DBQE9OA5ofuKOJNEyL1URAgjIAJ9uevL5x70xa9gpTZsckyivZzAcRQCdEVry |
| 49 |
YpQYX7E3DVoJtRlhTXQyqpg= |
| 50 |
=djr/ |
| 51 |
-----END PGP SIGNATURE----- |
Archives