| 1 |
On 05/07/2014 08:59 AM, Alan McKinnon wrote: |
| 2 |
> |
| 3 |
>>>> Verifying ebuild manifests |
| 4 |
> |
| 5 |
>>>> Emerging (1 of 1) app-doc/mysql-refman-5.5::alan |
| 6 |
> !!! Previously fetched file: |
| 7 |
> '/var/distfiles/refman-5.5-en.html-chapter.tar.gz' |
| 8 |
> !!! Reason: Failed on SHA256 verification |
| 9 |
> !!! Got: |
| 10 |
> 2eb9f21b4bc88b89a05e28b8a25ec221d36677ee13f2733c1dd1d0d28e81ad0d |
| 11 |
> !!! Expected: |
| 12 |
> 2eb9f21b4bc88b89a05e28b8a25ec221d36677ee13f2733c1dd1d0d28e81ad0e |
| 13 |
> Refetching... File renamed to |
| 14 |
> '/var/distfiles/refman-5.5-en.html-chapter.tar.gz._checksum_failure_.1s4y_D' |
| 15 |
|
| 16 |
This relies on two things. First, that the maintainer got the right |
| 17 |
tarball and actually verified the upstream signature (one can hope). |
| 18 |
Second, that the manifest you got wasn't modified by an evil mirror. |
| 19 |
|
| 20 |
It's possible for maintainers to sign the manifest with their GPG keys, |
| 21 |
but not required at the moment. Once signed manifests are ubiquitous, |
| 22 |
we'll be able to automatically verify the signatures... somehow. |
| 23 |
|
| 24 |
There are other problems though. Like the fact that the eclasses are |
| 25 |
unsigned, and can do whatever they want to an ebuild. There are GLEPs |
| 26 |
for some of this stuff, and 63 was just finalized, but I'm not sure |
| 27 |
about the state of the rest of them. |
Archives