From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=DMARC_MISSING, MAILING_LIST_MULTI,NICE_REPLY_A autolearn=unavailable autolearn_force=no version=4.0.0 Received: from exchange.colubris.com (gate.colubris.com [206.162.167.230]) by chiba.3jane.net (Postfix) with ESMTP id 12FE7AC583 for ; Fri, 19 Jul 2002 08:04:43 -0500 (CDT) Received: from corneille.colubris.com ([192.168.30.125]) by exchange.colubris.com with Microsoft SMTPSVC(5.0.2195.3779); Fri, 19 Jul 2002 09:01:16 -0400 Content-Type: text/plain; charset="iso-8859-1" From: Yannick Koehler Organization: Colubris Networks Inc. To: Nils Decker , gentoo-dev@gentoo.org Subject: Re: [gentoo-dev] Peer-to-Peer? Date: Fri, 19 Jul 2002 09:04:40 -0400 User-Agent: KMail/1.4.2 References: <200207180926.41751.yannick.koehler@colubris.com> <3D374E12.4000104@seul.org> <20020719112009.2ae78f8b.nils@ndecker.de> In-Reply-To: <20020719112009.2ae78f8b.nils@ndecker.de> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200207190904.41900.yannick.koehler@colubris.com> X-OriginalArrivalTime: 19 Jul 2002 13:01:16.0296 (UTC) FILETIME=[5E0BE080:01C22F24] Sender: gentoo-dev-admin@gentoo.org Errors-To: gentoo-dev-admin@gentoo.org X-BeenThere: gentoo-dev@gentoo.org X-Mailman-Version: 2.0.6 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Gentoo Linux developer list List-Unsubscribe: , List-Archive: X-Archives-Salt: 956f9706-ddbc-41d7-b153-7bef4fd3d96e X-Archives-Hash: 8b1f0eee7d6fb31a84d4774fc7b6c718 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On July 19, 2002 05:20 am, Nils Decker wrote: > > > propose or take it from the distribution system. Basically the > > > same as ccache ;-) > > > > I like the idea. I was thinking of something similar. > > I think it's possible to hash the use flags used to build > > the package and compare it to the package to be downloaded. > > I see another problem with this. There is no way to make the packages > trusted. In the portage tree, every downloaded file is checked against = a > MD5 hash. This means, I have to trust the person who build the port. Th= is > is not a big problem to me, because those people are "near" to the gent= oo > core, and everybody can check the MD5s against the official downloads o= f > the packet. > > I can't do this sort of check agains precompiled binaries, because ever= y > binary would have a different MD5. The only way to check would to compi= le > the package myself with the same flags, thus defeating the purpose. > Using those binary packages means to trust every user of gentoo, that h= e > doesn't put trojans or whatever on my system. The MD5 hash verification is only providing proof that the file you've=20 transferred between the distribution server and your PC was the same inte= nded=20 by the server on which you did your rsync of the digest files. You actually implicitely trust that whoever put the digest files inside t= he=20 rsync server used "correct" sources tarballs, you could verify that but t= he=20 process is kind of lenghty as it would be for a binary check too. And now because there may be multiple rsync server, that trust is getting= less=20 and less meaningful. To fix that, one would have to actually use the same PGP signature of the= =20 package as the one provided on the original distribution site from the=20 original author. - --=20 Yannick Koehler =20 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9OA5ofuKOJNEyL1URAgjIAJ9uevL5x70xa9gpTZsckyivZzAcRQCdEVry YpQYX7E3DVoJtRlhTXQyqpg=3D =3Ddjr/ -----END PGP SIGNATURE-----