>This was an argument against Gentoo more than six or seven years ago
>with regards to the security of whole portage system.  

Every package management system which uses hashes to verify integrity
has the same problems.

I think a lot of source tarballs are downloaded from the official sites
anyway. Someone really paranoid might manually check the patches.

>A number of
>suggestions were made in those early days, one of them being to sync
>with two mirrors and diff the ebuilds/Manifests/Distfiles affected by
>these two most recent syncs.  As far as I know people didn't go for
>this because it was perceived that the system as implemented was
>secure enough and anyway the proposed solution would put too much
>pressure on the mirrors.

I do not have the intention to restart the discussion you mentioned.
But getting hashes and tarballs from the same source (mirror) doesn't go
far for security. At the moment I just trust the official mirrors and
trust that the community would realize soon if there were trojaned
packages the same way I trust apache or the kernel devs not to do
anything funny.

But I still like the idea of files signed with asynchr. crypt. I sure
will have a look into "FEATURES=sign".

/jdb

Reply via email to