Thanks. Do you know if someone makes a change to a copy of apache hosted on a public mirror, will the sync between the servers determine that it's corrupted (via 'bad' checksum) on the public side and replace it?
-john -----Original Message----- From: Albert W. Hopkins [mailto:mar...@letterboxes.org] Sent: Tuesday, April 06, 2010 2:24 PM To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Portage + checksums On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote: > How can I verify that the installed packages on a Gentoo system came > from the same source that was on a main rotation mirror and/or > “blessed” by the Gentoo development team? > > > > By verifying the checksum located in /var/db/pkg/$APPNAME/CONTENTS am > I only confirming that the source was the same as that which was > downloaded from the mirror? > > > > I guess what I’m getting at is how can I be sure I can trust a > mirror? > > > > Thank you very much in advance for any insight provided, It really depends on your level of paranoia. Ultimately it can't be trusted at all. If you really want to be sure then just the source/manifest from your "trusted" mirror and compare.
smime.p7s
Description: S/MIME cryptographic signature
