| 1 |
On 10/08/17 06:35, William L. Thomson Jr. wrote: |
| 2 |
> FYI binpkgs have no hash. If someone did something malicious within the |
| 3 |
> binhost to the binpkgs. You have no way of knowing. Yes the same can |
| 4 |
> happen with ebuilds and manifest. But easy to sync portage and see if a |
| 5 |
> manifest has changed. |
| 6 |
|
| 7 |
This isn't exactly true - see ${PKGDIR}/Packages on the binhost, which |
| 8 |
is a manifest of built packages and related metadata. Granted this is |
| 9 |
created by the binhost, it does exist and contains SHA1 and MD5 hashes, |
| 10 |
as well as package size. In that sense it's no different to how a |
| 11 |
package Manifest file works within a repository. |
| 12 |
|
| 13 |
-- |
| 14 |
Sam Jorna (wraeth) |
| 15 |
GnuPG ID: D6180C26 |
Archives