| 1 |
On Tue, 24 Mar 2009 09:45:30 +0200 |
| 2 |
mmacleod@××××××××××.za wrote: |
| 3 |
|
| 4 |
> > Then have a hash generate set up where it would take |
| 5 |
> > the name, version, and use flags, cflags and hash just that |
| 6 |
> > information. |
| 7 |
> We are talking about two different types of hashes. |
| 8 |
> There would be a hash in the package names in order to tell the |
| 9 |
> difference between package foo compiled with use flag "bar" and |
| 10 |
> package foo compiled without useflag "baa"(It would also have to take |
| 11 |
> into account cflags and dependency versions), this is part of the |
| 12 |
> "improved binary support idea". |
| 13 |
|
| 14 |
I'm not sure if this is doable, but not using hashes would be great. |
| 15 |
It would be cool to encode as much information as possible so that it |
| 16 |
can be decoded again. In any case, there should be a database with what |
| 17 |
the hashes mean, so that users can see "Ok, i use this and that CLFAGS |
| 18 |
and this and that USE-flags, and if i now change that USE-flag which I |
| 19 |
don't really care about and add -pipe to my CFLAGS, I can find almost |
| 20 |
everything I need as binary packages". |
| 21 |
|
| 22 |
It would also be cool to work with the stats project here to find out, |
| 23 |
which CFLAGS and USE-flags are used, which packages are installed. |
| 24 |
|
| 25 |
> The second kind of hash that I am talking about now is a security |
| 26 |
> hash computed over the final package file. By having multiple users |
| 27 |
> compile the package and generate a security hash of it one can |
| 28 |
> ensure(within reasonable doubt) that the package has not been |
| 29 |
> tampered with by the contributor, by for example adding a rootkit to |
| 30 |
> the source code. |
| 31 |
|
| 32 |
As far as I know, tar is used. If times or anything like that are saved |
| 33 |
in the tarball, you can forget to reproduce a tarball with the same |
| 34 |
hash. Also, sometimes the time and date when it was compiled is saved |
| 35 |
in the binary. So, either I don't understand you, or it just will not |
| 36 |
work. |
| 37 |
|
| 38 |
Philipp |
Archives