From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23055 invoked by uid 1002); 22 Nov 2003 04:38:40 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 5693 invoked from network); 22 Nov 2003 04:38:40 -0000 From: Lisa Seelye To: khai@turbonet.com Cc: Gentoo Dev In-Reply-To: <1069466950.8702.4.camel@veritas> References: <1069466950.8702.4.camel@veritas> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-ZAwlV3p+XKyQYhzX7ACR" Message-Id: <1069475935.32645.87.camel@lisa.thedoh.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Fri, 21 Nov 2003 23:38:55 -0500 Subject: Re: [gentoo-dev] GPG Signed packages X-Archives-Salt: bbb9ed95-0ab1-466b-8b8a-4a4ec99125b3 X-Archives-Hash: 68cac92d75fd5a467fedb430e30f8dc3 --=-ZAwlV3p+XKyQYhzX7ACR Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2003-11-21 at 21:09, Yi Qiang wrote: > I think this has been brought up many times before, but as most of us > know, many of the debian servers have been compromised recently. This > has reinstated fear into many people about how "trustful" our distfile > repositories really are. If indeed one is compromised it would be too > easy for someone to slip a backdoor into a package, especially since I > and a lot of other gentoo users simply ignore md5 checksums. If a > digest fails we simply ebuild foo.ebuild digest it again. I think an > option should be made that would allow failing packages if gpg fails. (I > think Redhat does something like this) This of course is not a fool > proof way, but a big improvement over what is currently done to ensure > package integrity.=20 If the key server/signature is compromised you have gained nothing over the way we have it now. Adding it is just another way for something to go wrong. As for users doing ebuild foo.ebuild digest blindly - that's a good way to put your box at serious risk. --=20 Regards, -Lisa --=-ZAwlV3p+XKyQYhzX7ACR Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQA/vuhfy0a1Vh5Jb8URAjkdAJ9AhH4R32jLGIGRkhhQTIi3P/x/SgCglL2I 8dgRE0LXi2ZfoCg4O92YBAg= =brVE -----END PGP SIGNATURE----- --=-ZAwlV3p+XKyQYhzX7ACR--