How can I verify that the installed packages on a Gentoo system came from
the same source that was on a main rotation mirror and/or "blessed" by the
Gentoo development team?
By verifying the checksum located in /var/db/pkg/$APPNAME/CONTENTS am I
only confirming that the source was the same a
On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote:
> How can I verify that the installed packages on a Gentoo system came
> from the same source that was on a main rotation mirror and/or
> “blessed” by the Gentoo development team?
>
>
>
> By verifying the checksum located in /var
ins [mailto:mar...@letterboxes.org]
Sent: Tuesday, April 06, 2010 2:24 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Portage + checksums
On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote:
> How can I verify that the installed packages on a Gentoo system came
> from the
Hi!
>Do you know if someone makes a change to a copy of apache hosted on a
>public mirror, will the sync between the servers determine that it's
>corrupted (via 'bad' checksum) on the public side and replace it?
I'm not sure how gentoo mirrors do the syncing but in a lot of cases an
error like
@letterboxes.org]
> Sent: Tuesday, April 06, 2010 2:24 PM
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] Portage + checksums
>
> On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote:
> > How can I verify that the installed packages on a Gentoo system c
On Tue, Apr 6, 2010 at 3:41 PM, Alan McKinnon wrote:
> On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote:
>> Thanks.
>>
>> Do you know if someone makes a change to a copy of apache hosted on a
>> public mirror, will the sync between the servers determine that it's
>> corrupted (via 'bad
On Tuesday 06 April 2010 23:13:47 Paul Hartman wrote:
> On Tue, Apr 6, 2010 at 3:41 PM, Alan McKinnon
wrote:
> > On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote:
> >> Thanks.
> >>
> >> Do you know if someone makes a change to a copy of apache hosted on a
> >> public mirror, will the
On Tue, Apr 6, 2010 at 2:26 PM, Alan McKinnon wrote:
>
> FEATURES=sign
>
> "man 5 make.conf" implies that the dev signs the Manifest by checking
> something into the tree using repoman. Presumably, the user either has to
> fetch the public key or portage includes it in the tree. But documentation
On Tuesday 06 April 2010 23:46:48 Mark Knecht wrote:
> On Tue, Apr 6, 2010 at 2:26 PM, Alan McKinnon
> wrote:
>
> > FEATURES=sign
> >
> > "man 5 make.conf" implies that the dev signs the Manifest by checking
> > something into the tree using repoman. Presumably, the user either has to
> > fetch
On Tuesday 06 April 2010 23:16:13 Alan McKinnon wrote:
> On Tuesday 06 April 2010 23:46:48 Mark Knecht wrote:
> > On Tue, Apr 6, 2010 at 2:26 PM, Alan McKinnon
> > wrote:
> >
> > > FEATURES=sign
> > >
> > > "man 5 make.conf" implies that the dev signs the Manifest by checking
> > > something into
>This was an argument against Gentoo more than six or seven years ago
>with regards to the security of whole portage system.
Every package management system which uses hashes to verify integrity
has the same problems.
I think a lot of source tarballs are downloaded from the official sites
anyw
e I need to look to
learn more. This is a great community and it reflects in the OS - I don't
know why I waited so long to try Gentoo.(??)!
-john
-Original Message-
From: Jonas de Buhr [mailto:jonas.de.b...@gmx.net]
Sent: Wednesday, April 07, 2010 8:35 AM
To: gentoo-user@lists.gentoo
On Wednesday 07 April 2010 16:06:03 Butterworth, John W. wrote:
> So to avoid "spamming" with 20+ Thank You emails I'll send out just one and
> thank you all collectively for the information provided (I hope this isn't
> rude - I'm not sure of proper protocol in this situation).
>
> I have a lot m
13 matches
Mail list logo
