1 |
(1) Run "find /usr/portage -type f | xargs sha1sum -b" on |
2 |
the Gentoo main system. |
3 |
|
4 |
(2) Sign the output with GPG. |
5 |
|
6 |
(3) Put it into the portage tree. |
7 |
|
8 |
(4) If the user has GPG installed and has manually put the |
9 |
appropriate public key in some place _outside_ of the |
10 |
portage tree, have "emerge sync" verify that the |
11 |
signature is intact and all hashes hold. |
12 |
|
13 |
(5) Missing files in the tree are okay (rsync_excludes), |
14 |
files in the tree which do not have a hash are not okay. |
15 |
|
16 |
|
17 |
-- |
18 |
gentoo-security@g.o mailing list |