| 1 |
On Tue, Apr 6, 2010 at 3:41 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 2 |
> On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote: |
| 3 |
>> Thanks. |
| 4 |
>> |
| 5 |
>> Do you know if someone makes a change to a copy of apache hosted on a |
| 6 |
>> public mirror, will the sync between the servers determine that it's |
| 7 |
>> corrupted (via 'bad' checksum) on the public side and replace it? |
| 8 |
> |
| 9 |
> I can answer this, I run a public Gentoo mirror (not an official one) |
| 10 |
> |
| 11 |
> If I, or some clown, loads a trojaned copy of Apache source code into |
| 12 |
> my distfiles mirror, portage will complain bitterly because the hash in the |
| 13 |
> manifest will fail. Then you will know something is wrong. |
| 14 |
> |
| 15 |
> If I trojan the ebuild and the portage tree to match my trojaned sources, you |
| 16 |
> will probably not pick it up. This would be very risky indeed for me to do as |
| 17 |
> I can't be sure you will sync the tree and get your distfiles from me. |
| 18 |
|
| 19 |
Isn't there something like FEATURES="gpg" to enable checking gpg |
| 20 |
signatures on ebuilds? (I haven't tried it so I don't know if this is |
| 21 |
actually used) |
Archives