| 1 |
Johannes Findeisen wrote: |
| 2 |
|
| 3 |
> On Thursday 01 August 2002 15:39, Rob Kaper wrote: |
| 4 |
>> On Thursday 01 August 2002 15:35, Terje Kvernes wrote: |
| 5 |
>> > if the checksum differ, which it would have, emerge will abort. |
| 6 |
>> > although, emerge logs do sound like a very good idea. |
| 7 |
>> |
| 8 |
>> For optimum security, emerge should check checksums from different |
| 9 |
>> locations. One or two trusted servers (often even the same as the one |
| 10 |
>> where the files reside, although that might not be true for gentoo) |
| 11 |
>> can be compromised too easily. |
| 12 |
> |
| 13 |
> if this should be a option in portage, we always need to download two |
| 14 |
> files from two servers to check if the md5sum are the same... :-( |
| 15 |
> IMO it is good as it is. the gentoo-core team are providing a md5sum |
| 16 |
> in the portage tree and that should be enough. |
| 17 |
> |
| 18 |
|
| 19 |
Hi Johannes, |
| 20 |
|
| 21 |
as far as the above suggestion made by Terje is concerned You're right. |
| 22 |
Distributed checks could easily lead to "confusion", especially working |
| 23 |
with mirrors. But MD5 alone IS a joke when it comes to _security_ |
| 24 |
(here: proof of origin/unmodified developer version). It's quite good |
| 25 |
to check file corruption during data transfer. But that's it in my |
| 26 |
eyes. If one wants secure "origin" checks there's the need for gpg |
| 27 |
signing or something alike. Just using md5 someone who got write access |
| 28 |
to a portage-server could easily regenerate the sum and paste it into |
| 29 |
the ebuild including a modified SRC-URL. |
| 30 |
|
| 31 |
OK. "Even" the OpenBSD devel core team didn't manage to integrate |
| 32 |
private keys that way (maybe in general they're chaotic). One big |
| 33 |
problem handling this would be/is/was the key availability for people |
| 34 |
downloading files ... at least it's like that dealing with some of the |
| 35 |
OBSD dev-staff ... |
| 36 |
|
| 37 |
Andrew |
| 38 |
|
| 39 |
-- |
| 40 |
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01 |
| 41 |
eMail: awaschb@××××.de |
| 42 |
|
| 43 |
Pete: Waiter, this meat is bad. |
| 44 |
Waiter: Who told you? |
| 45 |
Pete: A little swallow. |
Archives