Gentoo Archives: gentoo-security

From: Brian Klauss <brklauss@×××××××××.net>
To: gentoo-security@l.g.o
Subject: [gentoo-security] Thoughts on Package Security
Date: Tue, 17 Feb 2004 06:20:34
Message-Id: 001101c3f51e$14a53060$0702a8c0@neo
1 Why not take package security one step deeper to ensure the validity of every ebuild and source-tree?
3 Instead of relying upon a master hash of the compressed package, create a hash for each source file, documentation, makefile, etc., and as part of the emerge process, the application validates the compressed hash, then looks at each decompressed file and compares the hash value of it against a master repository.
5 Once everything checks out, we then guarantee that the compressed package and all related source files are true to the source as it was created since the master hash tables are contained in the master repository instead of within the compressed file (which can be altered).
7 Just an idea, and if I am way off, let me know.
9 Brian...


Subject Author
Re: [gentoo-security] Thoughts on Package Security guerrilla_thought <alt-0x54@×××××××.com>