So to avoid "spamming" with 20+ Thank You emails I'll send out just one and thank you all collectively for the information provided (I hope this isn't rude - I'm not sure of proper protocol in this situation).
I have a lot more insight now and some new ideas of where I need to look to learn more. This is a great community and it reflects in the OS - I don't know why I waited so long to try Gentoo.(??)! -john -----Original Message----- From: Jonas de Buhr [mailto:jonas.de.b...@gmx.net] Sent: Wednesday, April 07, 2010 8:35 AM To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Portage + checksums >This was an argument against Gentoo more than six or seven years ago >with regards to the security of whole portage system. Every package management system which uses hashes to verify integrity has the same problems. I think a lot of source tarballs are downloaded from the official sites anyway. Someone really paranoid might manually check the patches. >A number of >suggestions were made in those early days, one of them being to sync >with two mirrors and diff the ebuilds/Manifests/Distfiles affected by >these two most recent syncs. As far as I know people didn't go for >this because it was perceived that the system as implemented was >secure enough and anyway the proposed solution would put too much >pressure on the mirrors. I do not have the intention to restart the discussion you mentioned. But getting hashes and tarballs from the same source (mirror) doesn't go far for security. At the moment I just trust the official mirrors and trust that the community would realize soon if there were trojaned packages the same way I trust apache or the kernel devs not to do anything funny. But I still like the idea of files signed with asynchr. crypt. I sure will have a look into "FEATURES=sign". /jdb
smime.p7s
Description: S/MIME cryptographic signature
