1 |
So to avoid "spamming" with 20+ Thank You emails I'll send out just one and |
2 |
thank you all collectively for the information provided (I hope this isn't |
3 |
rude - I'm not sure of proper protocol in this situation). |
4 |
|
5 |
I have a lot more insight now and some new ideas of where I need to look to |
6 |
learn more. This is a great community and it reflects in the OS - I don't |
7 |
know why I waited so long to try Gentoo.(??)! |
8 |
-john |
9 |
|
10 |
-----Original Message----- |
11 |
From: Jonas de Buhr [mailto:jonas.de.buhr@×××.net] |
12 |
Sent: Wednesday, April 07, 2010 8:35 AM |
13 |
To: gentoo-user@l.g.o |
14 |
Subject: Re: [gentoo-user] Portage + checksums |
15 |
|
16 |
|
17 |
>This was an argument against Gentoo more than six or seven years ago |
18 |
>with regards to the security of whole portage system. |
19 |
|
20 |
Every package management system which uses hashes to verify integrity |
21 |
has the same problems. |
22 |
|
23 |
I think a lot of source tarballs are downloaded from the official sites |
24 |
anyway. Someone really paranoid might manually check the patches. |
25 |
|
26 |
>A number of |
27 |
>suggestions were made in those early days, one of them being to sync |
28 |
>with two mirrors and diff the ebuilds/Manifests/Distfiles affected by |
29 |
>these two most recent syncs. As far as I know people didn't go for |
30 |
>this because it was perceived that the system as implemented was |
31 |
>secure enough and anyway the proposed solution would put too much |
32 |
>pressure on the mirrors. |
33 |
|
34 |
I do not have the intention to restart the discussion you mentioned. |
35 |
But getting hashes and tarballs from the same source (mirror) doesn't go |
36 |
far for security. At the moment I just trust the official mirrors and |
37 |
trust that the community would realize soon if there were trojaned |
38 |
packages the same way I trust apache or the kernel devs not to do |
39 |
anything funny. |
40 |
|
41 |
But I still like the idea of files signed with asynchr. crypt. I sure |
42 |
will have a look into "FEATURES=sign". |
43 |
|
44 |
/jdb |