1 |
On Tue, 24 Mar 2009 13:55:13 +0200 |
2 |
mmacleod@××××××××××.za wrote: |
3 |
|
4 |
> > > <snip> |
5 |
> > I'm not sure if this is doable, but not using hashes would be great. |
6 |
> The discussion on the bugzilla page is a must read in order to |
7 |
> discuss this properly, it also explains why using a hash for this is |
8 |
> necessary https://bugs.gentoo.org/150031 |
9 |
|
10 |
I'll look at it, thanks. |
11 |
|
12 |
> > > The second kind of hash that I am talking about now is a security |
13 |
> > > hash computed over the final package file. By having multiple |
14 |
> > > users compile the package and generate a security hash of it one |
15 |
> > > can ensure(within reasonable doubt) that the package has not been |
16 |
> > > tampered with by the contributor, by for example adding a rootkit |
17 |
> > > to the source code. |
18 |
> > As far as I know, tar is used. If times or anything like that are |
19 |
> > saved in the tarball, you can forget to reproduce a tarball with |
20 |
> > the same hash. Also, sometimes the time and date when it was |
21 |
> > compiled is saved in the binary. So, either I don't understand you, |
22 |
> > or it just will not work. |
23 |
> While some hash algorithms do take file modification time into |
24 |
> account this is certainly not necessary at all, and in this case a |
25 |
> hash algorithm that does not take file modification time into account |
26 |
> would definitely be used. |
27 |
|
28 |
I was talking about modification times saved in the tarball, not the |
29 |
modification times of the tarball. In that case, you would need to |
30 |
unpack the package and hash all files in it. But to create a general |
31 |
hash algorithm that hashes compressed tar files and does not take into |
32 |
account any times and dates is impractical, if not impossible to do it |
33 |
so that it makes sense. |
34 |
|
35 |
> Having most things available as binaries certainly beats having none |
36 |
> or very few. |
37 |
|
38 |
The same is true for different CFLAGS, ARCHes and USE-flag |
39 |
combinations. :-D |
40 |
|
41 |
Philipp |