On Saturday 18 October 2003 22:41, Spider wrote: > On Sat, 18 Oct 2003 20:41:01 +0900 > Jason Stubbs <[EMAIL PROTECTED]> wrote: > > If the md5sum shows up as wrong would the following procedure be safe? > BLEEP. Wrong. > > The file on their ftp may well have been altered post checking by a dev. > Or you could have a man in the middle / proxy that changes the data for > you.
Fair enough. Point taken. However, I must also then ask what steps the responsible dev takes to confirm where the problem lies. Does the dev keep a copy of the original file that the portage's md5sum was taken from? Does the contents of the unmatching file get diffed against the supposed correct file to see what changes there are? I'm not trying to say I don't trust the devs at all - I haven't personally verified the integrity of anything that I've installed via portage - but from a security point of view I'm just wondering if there is a standard procedure for resolving this issue. Regards, Jason -- [EMAIL PROTECTED] mailing list
