1 |
On Tue, Apr 6, 2010 at 3:41 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
2 |
> On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote: |
3 |
>> Thanks. |
4 |
>> |
5 |
>> Do you know if someone makes a change to a copy of apache hosted on a |
6 |
>> public mirror, will the sync between the servers determine that it's |
7 |
>> corrupted (via 'bad' checksum) on the public side and replace it? |
8 |
> |
9 |
> I can answer this, I run a public Gentoo mirror (not an official one) |
10 |
> |
11 |
> If I, or some clown, loads a trojaned copy of Apache source code into |
12 |
> my distfiles mirror, portage will complain bitterly because the hash in the |
13 |
> manifest will fail. Then you will know something is wrong. |
14 |
> |
15 |
> If I trojan the ebuild and the portage tree to match my trojaned sources, you |
16 |
> will probably not pick it up. This would be very risky indeed for me to do as |
17 |
> I can't be sure you will sync the tree and get your distfiles from me. |
18 |
|
19 |
Isn't there something like FEATURES="gpg" to enable checking gpg |
20 |
signatures on ebuilds? (I haven't tried it so I don't know if this is |
21 |
actually used) |