>This was an argument against Gentoo more than six or seven years ago >with regards to the security of whole portage system.
Every package management system which uses hashes to verify integrity has the same problems. I think a lot of source tarballs are downloaded from the official sites anyway. Someone really paranoid might manually check the patches. >A number of >suggestions were made in those early days, one of them being to sync >with two mirrors and diff the ebuilds/Manifests/Distfiles affected by >these two most recent syncs. As far as I know people didn't go for >this because it was perceived that the system as implemented was >secure enough and anyway the proposed solution would put too much >pressure on the mirrors. I do not have the intention to restart the discussion you mentioned. But getting hashes and tarballs from the same source (mirror) doesn't go far for security. At the moment I just trust the official mirrors and trust that the community would realize soon if there were trojaned packages the same way I trust apache or the kernel devs not to do anything funny. But I still like the idea of files signed with asynchr. crypt. I sure will have a look into "FEATURES=sign". /jdb