| 1 |
On Tue, 24 Mar 2009 13:55:13 +0200 |
| 2 |
mmacleod@××××××××××.za wrote: |
| 3 |
|
| 4 |
> > > <snip> |
| 5 |
> > I'm not sure if this is doable, but not using hashes would be great. |
| 6 |
> The discussion on the bugzilla page is a must read in order to |
| 7 |
> discuss this properly, it also explains why using a hash for this is |
| 8 |
> necessary https://bugs.gentoo.org/150031 |
| 9 |
|
| 10 |
I'll look at it, thanks. |
| 11 |
|
| 12 |
> > > The second kind of hash that I am talking about now is a security |
| 13 |
> > > hash computed over the final package file. By having multiple |
| 14 |
> > > users compile the package and generate a security hash of it one |
| 15 |
> > > can ensure(within reasonable doubt) that the package has not been |
| 16 |
> > > tampered with by the contributor, by for example adding a rootkit |
| 17 |
> > > to the source code. |
| 18 |
> > As far as I know, tar is used. If times or anything like that are |
| 19 |
> > saved in the tarball, you can forget to reproduce a tarball with |
| 20 |
> > the same hash. Also, sometimes the time and date when it was |
| 21 |
> > compiled is saved in the binary. So, either I don't understand you, |
| 22 |
> > or it just will not work. |
| 23 |
> While some hash algorithms do take file modification time into |
| 24 |
> account this is certainly not necessary at all, and in this case a |
| 25 |
> hash algorithm that does not take file modification time into account |
| 26 |
> would definitely be used. |
| 27 |
|
| 28 |
I was talking about modification times saved in the tarball, not the |
| 29 |
modification times of the tarball. In that case, you would need to |
| 30 |
unpack the package and hash all files in it. But to create a general |
| 31 |
hash algorithm that hashes compressed tar files and does not take into |
| 32 |
account any times and dates is impractical, if not impossible to do it |
| 33 |
so that it makes sense. |
| 34 |
|
| 35 |
> Having most things available as binaries certainly beats having none |
| 36 |
> or very few. |
| 37 |
|
| 38 |
The same is true for different CFLAGS, ARCHes and USE-flag |
| 39 |
combinations. :-D |
| 40 |
|
| 41 |
Philipp |
Archives