Re: [gentoo-dev] GPG Signed packages

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

From: Lisa Seelye <lisa@gentoo.org>
To: khai@turbonet.com
Cc: Gentoo Dev <gentoo-dev@gentoo.org>
Subject: Re: [gentoo-dev] GPG Signed packages
Date: Fri, 21 Nov 2003 23:38:55 -0500	[thread overview]
Message-ID: <1069475935.32645.87.camel@lisa.thedoh.com> (raw)
In-Reply-To: <1069466950.8702.4.camel@veritas>

[-- Attachment #1: Type: text/plain, Size: 1162 bytes --]

On Fri, 2003-11-21 at 21:09, Yi Qiang wrote:
> I think this has been brought up many times before, but as most of us
> know, many of the debian servers have been compromised recently.  This
> has reinstated fear into many people about how "trustful" our distfile
> repositories really are.  If indeed one is compromised it would be too
> easy for someone to slip a backdoor into a package, especially since I
> and a lot of other gentoo users simply ignore md5 checksums.  If a
> digest fails we simply ebuild foo.ebuild digest it again.  I think an
> option should be made that would allow failing packages if gpg fails. (I
> think Redhat does something like this)  This of course is not a fool
> proof way, but a big improvement over what is currently done to ensure
> package integrity. 

If the key server/signature is compromised you have gained nothing over
the way we have it now.  Adding it is just another way for something to
go wrong.

As for users doing ebuild foo.ebuild digest blindly - that's a good way
to put your box at serious risk.


-- 
Regards,
-Lisa
<Vix ulla tam iniqua pax, quin bello vel aequissimo sit potior>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

next prev parent reply	other threads:[~2003-11-22  4:38 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-11-22  2:09 [gentoo-dev] GPG Signed packages Yi Qiang
2003-11-22  4:38 ` Lisa Seelye [this message]
2003-11-22  5:24   ` Andrew Gaffney
2003-11-22  9:13   ` Torsten Veller
2003-11-22 13:15   ` James Harlow
2003-11-22 22:45     ` Aron Griffis
2003-11-23 10:45       ` Frank Zschockelt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1069475935.32645.87.camel@lisa.thedoh.com \
    --to=lisa@gentoo.org \
    --cc=gentoo-dev@gentoo.org \
    --cc=khai@turbonet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox