| 1 |
On Wed, 18 Feb 2004 10:51:35 -0700 |
| 2 |
will.richey@×××××××××××××.com wrote: |
| 3 |
|
| 4 |
> emerge -u xyzzy: |
| 5 |
> - get source package from actual distributor, NOT GENTOO |
| 6 |
> - compare MD5 of that to MD5 hash in portage tree |
| 7 |
> - continue ebuild |
| 8 |
> |
| 9 |
> So, the MD5 hash in the portage tree comes from a different server |
| 10 |
> than the source package. So, the determined attacker would have to |
| 11 |
> control considerable more than one site. |
| 12 |
|
| 13 |
One could specify a different file to download. It wont find the file on a |
| 14 |
Gentoo mirror and will download it from where it is specified in the |
| 15 |
ebuild. Also I could care less if it actually downloads the real file. The |
| 16 |
ebuild could patch the code or do many other things. The ebuilds, |
| 17 |
packages, and patches need to be signed in some way. Then you just have to |
| 18 |
trust the developers and that no keys get stolen. Or you can check |
| 19 |
everything before you install something. |
| 20 |
|
| 21 |
|
| 22 |
Russell Valentine |
Archives