Gentoo Archives: gentoo-dev

From: Alexander Holler <holler@××××××××××.de>
To: gentoo-dev@g.o
Subject: [gentoo-dev] Idea about signing ebuilds
Date: Thu, 06 Jun 2002 15:19:41
Message-Id: 92340000.1023389790@krabat.ahsoftware
Hello,

what do you think about signing the ebuilds and digests with gpg?

That would make it harder for blackhats to introduce a worm or something 
similiar (if they have got access to an rsync mirror).

My idea is to automatically sign the released ebuilds (before mirroring 
them) with a key of gentoo.org.

Then emerge could check the sign and could discard wrong ebuilds or just 
throws a warning (preferable customized with make.conf).

Just my 2 cents. ;)


Alexander

Replies

Subject Author
Re: [gentoo-dev] Idea about signing ebuilds Frank Tobin <ftobin@×××××××××××.org>
Re: [gentoo-dev] Idea about signing ebuilds Jean-Michel Smith <jsmith@××××.com>
Re: [gentoo-dev] Idea about signing ebuilds Jeremiah Mahler <jmahler@×××××××.net>