Re: [gentoo-dev] GPG Signed packages

[Andrew Gaffney <agaffney@technaut.darktalker.net>]

Lisa Seelye wrote:
> On Fri, 2003-11-21 at 21:09, Yi Qiang wrote:
> 
>>I think this has been brought up many times before, but as most of us
>>know, many of the debian servers have been compromised recently.  This
>>has reinstated fear into many people about how "trustful" our distfile
>>repositories really are.  If indeed one is compromised it would be too
>>easy for someone to slip a backdoor into a package, especially since I
>>and a lot of other gentoo users simply ignore md5 checksums.  If a
>>digest fails we simply ebuild foo.ebuild digest it again.  I think an
>>option should be made that would allow failing packages if gpg fails. (I
>>think Redhat does something like this)  This of course is not a fool
>>proof way, but a big improvement over what is currently done to ensure
>>package integrity. 
> 
> 
> If the key server/signature is compromised you have gained nothing over
> the way we have it now.  Adding it is just another way for something to
> go wrong.
> 
> As for users doing ebuild foo.ebuild digest blindly - that's a good way
> to put your box at serious risk.

I agree that the current system is good the way it is. If someone is dumb enough to ignore 
a failing MD5 on anything other than MPlayer fonts, and I'm sure most of us have done 
'ebuild digest mplayer-x.xx.ebuild' at one point or another (I have), another check isn't 
going to keep them from opening up their box, anyway.

-- 
Andrew Gaffney


--
gentoo-dev@gentoo.org mailing list