1 |
>This was an argument against Gentoo more than six or seven years ago |
2 |
>with regards to the security of whole portage system. |
3 |
|
4 |
Every package management system which uses hashes to verify integrity |
5 |
has the same problems. |
6 |
|
7 |
I think a lot of source tarballs are downloaded from the official sites |
8 |
anyway. Someone really paranoid might manually check the patches. |
9 |
|
10 |
>A number of |
11 |
>suggestions were made in those early days, one of them being to sync |
12 |
>with two mirrors and diff the ebuilds/Manifests/Distfiles affected by |
13 |
>these two most recent syncs. As far as I know people didn't go for |
14 |
>this because it was perceived that the system as implemented was |
15 |
>secure enough and anyway the proposed solution would put too much |
16 |
>pressure on the mirrors. |
17 |
|
18 |
I do not have the intention to restart the discussion you mentioned. |
19 |
But getting hashes and tarballs from the same source (mirror) doesn't go |
20 |
far for security. At the moment I just trust the official mirrors and |
21 |
trust that the community would realize soon if there were trojaned |
22 |
packages the same way I trust apache or the kernel devs not to do |
23 |
anything funny. |
24 |
|
25 |
But I still like the idea of files signed with asynchr. crypt. I sure |
26 |
will have a look into "FEATURES=sign". |
27 |
|
28 |
/jdb |