| 1 |
Hi! |
| 2 |
|
| 3 |
>Do you know if someone makes a change to a copy of apache hosted on a |
| 4 |
>public mirror, will the sync between the servers determine that it's |
| 5 |
>corrupted (via 'bad' checksum) on the public side and replace it? |
| 6 |
|
| 7 |
I'm not sure how gentoo mirrors do the syncing but in a lot of cases an |
| 8 |
error like this would show up on the downloading (client-/mirror-) side |
| 9 |
which wont help you at all if you don't trust the mirror. |
| 10 |
|
| 11 |
The way I undestand this a problem is that any mirror may simply |
| 12 |
regenerate hash values like RMD160 or SHA1 for modified sourcefiles. If |
| 13 |
you don't compare them to those from a trusted server you will never |
| 14 |
know. |
| 15 |
|
| 16 |
So a general aproach to this may be that some gentoo core team would |
| 17 |
sign everything with one (or a set of) private key(s) of some kind and |
| 18 |
publish the corresponding public key(s) on their website and with the |
| 19 |
install images. The signature could easily be copied to mirrors but not |
| 20 |
regenerated for changed sourcefiles. |
| 21 |
|
| 22 |
However that would be a lot more work for the gentoo developers since |
| 23 |
*few* (else it's pointless) trusted people with access to the private |
| 24 |
key would have to approve every single update for every arch and |
| 25 |
compare every source tarball to a trusted one. |
| 26 |
|
| 27 |
Maybe you could run your own mirror and sync it to a trusted one? |
| 28 |
|
| 29 |
Bye, |
| 30 |
jdb |
Archives