On 10/08/17 06:35, William L. Thomson Jr. wrote: > FYI binpkgs have no hash. If someone did something malicious within the > binhost to the binpkgs. You have no way of knowing. Yes the same can > happen with ebuilds and manifest. But easy to sync portage and see if a > manifest has changed.
This isn't exactly true - see ${PKGDIR}/Packages on the binhost, which is a manifest of built packages and related metadata. Granted this is created by the binhost, it does exist and contains SHA1 and MD5 hashes, as well as package size. In that sense it's no different to how a package Manifest file works within a repository. -- Sam Jorna (wraeth) GnuPG ID: D6180C26
signature.asc
Description: OpenPGP digital signature