Gentoo Archives: gentoo-dev

From: Alexander Holler <holler@××××××××××.de>
To: gentoo-dev@g.o
Subject: Re: [gentoo-dev] Idea about signing ebuilds
Date: Fri, 07 Jun 2002 14:42:10
Message-Id: 579260000.1023478972@krabat.ahsoftware
In Reply to: Re: [gentoo-dev] Idea about signing ebuilds by Jeremiah Mahler
1 Hi Jeremiah,
2
3 --On Freitag, Juni 07, 2002 02:34:52 -0700 Jeremiah Mahler
4 <jmahler@×××××××.net> wrote:
5
6 > If anyone can submit ebuilds and the only way a user can discern between
7 > different ebuilds is by the version number than the following is true:
8 > 1. an ebuild can contain malicious code (worm, virus, etc)
9 > 2. nothing will prevent the user from using a malicious ebuild
10
11 Clearly, but I think everyone who's ebuild has made it into the
12 distribution (or got signed) has at least a name and an email-address. ;)
13
14 So he isn't that anonymous that a blackhat needs or wants, if he wants to
15 submit malicious code.
16
17 And if someone gets a key or access to cvs (or anything which allows him to
18 distribute ebuilds) isn't such a great difference. We have to trust them
19 anyway (as we have to trust those thousands of developers who are writting
20 the programs).
21
22 To end that discussion (I think we both wants almost the same), I'm just at
23 the point to start it simple (with one key for the server). It isn't much
24 work and it it's no problem to extend that later.
25
26 Regards,
27
28 Alexander

Replies

Subject Author
Re: [gentoo-dev] Idea about signing ebuilds Ryan Phillips <rphillips@g.o>