1 |
On 10/08/17 06:35, William L. Thomson Jr. wrote: |
2 |
> FYI binpkgs have no hash. If someone did something malicious within the |
3 |
> binhost to the binpkgs. You have no way of knowing. Yes the same can |
4 |
> happen with ebuilds and manifest. But easy to sync portage and see if a |
5 |
> manifest has changed. |
6 |
|
7 |
This isn't exactly true - see ${PKGDIR}/Packages on the binhost, which |
8 |
is a manifest of built packages and related metadata. Granted this is |
9 |
created by the binhost, it does exist and contains SHA1 and MD5 hashes, |
10 |
as well as package size. In that sense it's no different to how a |
11 |
package Manifest file works within a repository. |
12 |
|
13 |
-- |
14 |
Sam Jorna (wraeth) |
15 |
GnuPG ID: D6180C26 |