1 |
Hi! |
2 |
|
3 |
>Do you know if someone makes a change to a copy of apache hosted on a |
4 |
>public mirror, will the sync between the servers determine that it's |
5 |
>corrupted (via 'bad' checksum) on the public side and replace it? |
6 |
|
7 |
I'm not sure how gentoo mirrors do the syncing but in a lot of cases an |
8 |
error like this would show up on the downloading (client-/mirror-) side |
9 |
which wont help you at all if you don't trust the mirror. |
10 |
|
11 |
The way I undestand this a problem is that any mirror may simply |
12 |
regenerate hash values like RMD160 or SHA1 for modified sourcefiles. If |
13 |
you don't compare them to those from a trusted server you will never |
14 |
know. |
15 |
|
16 |
So a general aproach to this may be that some gentoo core team would |
17 |
sign everything with one (or a set of) private key(s) of some kind and |
18 |
publish the corresponding public key(s) on their website and with the |
19 |
install images. The signature could easily be copied to mirrors but not |
20 |
regenerated for changed sourcefiles. |
21 |
|
22 |
However that would be a lot more work for the gentoo developers since |
23 |
*few* (else it's pointless) trusted people with access to the private |
24 |
key would have to approve every single update for every arch and |
25 |
compare every source tarball to a trusted one. |
26 |
|
27 |
Maybe you could run your own mirror and sync it to a trusted one? |
28 |
|
29 |
Bye, |
30 |
jdb |