Hi! >Do you know if someone makes a change to a copy of apache hosted on a >public mirror, will the sync between the servers determine that it's >corrupted (via 'bad' checksum) on the public side and replace it?
I'm not sure how gentoo mirrors do the syncing but in a lot of cases an error like this would show up on the downloading (client-/mirror-) side which wont help you at all if you don't trust the mirror. The way I undestand this a problem is that any mirror may simply regenerate hash values like RMD160 or SHA1 for modified sourcefiles. If you don't compare them to those from a trusted server you will never know. So a general aproach to this may be that some gentoo core team would sign everything with one (or a set of) private key(s) of some kind and publish the corresponding public key(s) on their website and with the install images. The signature could easily be copied to mirrors but not regenerated for changed sourcefiles. However that would be a lot more work for the gentoo developers since *few* (else it's pointless) trusted people with access to the private key would have to approve every single update for every arch and compare every source tarball to a trusted one. Maybe you could run your own mirror and sync it to a trusted one? Bye, jdb
