| 1 |
>This was an argument against Gentoo more than six or seven years ago |
| 2 |
>with regards to the security of whole portage system. |
| 3 |
|
| 4 |
Every package management system which uses hashes to verify integrity |
| 5 |
has the same problems. |
| 6 |
|
| 7 |
I think a lot of source tarballs are downloaded from the official sites |
| 8 |
anyway. Someone really paranoid might manually check the patches. |
| 9 |
|
| 10 |
>A number of |
| 11 |
>suggestions were made in those early days, one of them being to sync |
| 12 |
>with two mirrors and diff the ebuilds/Manifests/Distfiles affected by |
| 13 |
>these two most recent syncs. As far as I know people didn't go for |
| 14 |
>this because it was perceived that the system as implemented was |
| 15 |
>secure enough and anyway the proposed solution would put too much |
| 16 |
>pressure on the mirrors. |
| 17 |
|
| 18 |
I do not have the intention to restart the discussion you mentioned. |
| 19 |
But getting hashes and tarballs from the same source (mirror) doesn't go |
| 20 |
far for security. At the moment I just trust the official mirrors and |
| 21 |
trust that the community would realize soon if there were trojaned |
| 22 |
packages the same way I trust apache or the kernel devs not to do |
| 23 |
anything funny. |
| 24 |
|
| 25 |
But I still like the idea of files signed with asynchr. crypt. I sure |
| 26 |
will have a look into "FEATURES=sign". |
| 27 |
|
| 28 |
/jdb |
Archives