On Tue, Apr 6, 2010 at 3:41 PM, Alan McKinnon <alan.mckin...@gmail.com> wrote: > On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote: >> Thanks. >> >> Do you know if someone makes a change to a copy of apache hosted on a >> public mirror, will the sync between the servers determine that it's >> corrupted (via 'bad' checksum) on the public side and replace it? > > I can answer this, I run a public Gentoo mirror (not an official one) > > If I, or some clown, loads a trojaned copy of Apache source code into > my distfiles mirror, portage will complain bitterly because the hash in the > manifest will fail. Then you will know something is wrong. > > If I trojan the ebuild and the portage tree to match my trojaned sources, you > will probably not pick it up. This would be very risky indeed for me to do as > I can't be sure you will sync the tree and get your distfiles from me.
Isn't there something like FEATURES="gpg" to enable checking gpg signatures on ebuilds? (I haven't tried it so I don't know if this is actually used)
