On Tuesday 06 April 2010 23:13:47 Paul Hartman wrote: > On Tue, Apr 6, 2010 at 3:41 PM, Alan McKinnon <alan.mckin...@gmail.com> wrote: > > On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote: > >> Thanks. > >> > >> Do you know if someone makes a change to a copy of apache hosted on a > >> public mirror, will the sync between the servers determine that it's > >> corrupted (via 'bad' checksum) on the public side and replace it? > > > > I can answer this, I run a public Gentoo mirror (not an official one) > > > > If I, or some clown, loads a trojaned copy of Apache source code into > > my distfiles mirror, portage will complain bitterly because the hash in > > the manifest will fail. Then you will know something is wrong. > > > > If I trojan the ebuild and the portage tree to match my trojaned sources, > > you will probably not pick it up. This would be very risky indeed for me > > to do as I can't be sure you will sync the tree and get your distfiles > > from me. > > Isn't there something like FEATURES="gpg" to enable checking gpg > signatures on ebuilds? (I haven't tried it so I don't know if this is > actually used)
FEATURES=sign "man 5 make.conf" implies that the dev signs the Manifest by checking something into the tree using repoman. Presumably, the user either has to fetch the public key or portage includes it in the tree. But documentation in the man pages is sparse, I can't find an explanation of how it should work. -- alan dot mckinnon at gmail dot com
