-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 16 January 2004 06:44, Norbert Kamenicky wrote: > Jason Stubbs wrote: > >>>This is a very good reason for all those who go directly to "updating" > >>> the digest after a couple of failed downloads to think again the next > >>> time. That is unless you like root exploits and such like was > >>> discovered in the kernel recently. > > > > For those that are interested, it turns out that kde.org was at fault and > > the listed digest was in fact incorrect. > > Yes, u a right, it can be dangerous. > I just answered the question, but do not upgrade yet. > I'll wait minimum until the problem is explained/solved. > The same strategy I recommend to everybody. > > Anyway I thing if gentoo root server is exploited, > then it can't be a problem for attacker to replace both > source and digest. > To prevent such behavior probably some another > digital signature from developer authority is needed > let it be immediately recognized by all of us.
Actually, I'm fairly certain that the root distfiles mirror and the root portage mirror are on two different machines. So while it is still theoretically possible, there are steps in place. I think everybody will be much happier when the digital signing does get put into place. - -- Regards, Jason Stubbs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAByexosKAszmcBv4RAqG3AJ990p9lEY4U+mHIm44Gn6RHphSB3ACeK3tS SI3GP6PXaUlhDZjNgTbMt7w= =Pvvl -----END PGP SIGNATURE----- -- [EMAIL PROTECTED] mailing list
