public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* [gentoo-dev] Idea about signing ebuilds
@ 2002-06-06 18:56 99% Alexander Holler
  0 siblings, 0 replies; 1+ results
From: Alexander Holler @ 2002-06-06 18:56 UTC (permalink / raw
  To: gentoo-dev

Hello,

what do you think about signing the ebuilds and digests with gpg?

That would make it harder for blackhats to introduce a worm or something 
similiar (if they have got access to an rsync mirror).

My idea is to automatically sign the released ebuilds (before mirroring 
them) with a key of gentoo.org.

Then emerge could check the sign and could discard wrong ebuilds or just 
throws a warning (preferable customized with make.conf).

Just my 2 cents. ;)


Alexander



^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2002-06-06 18:56 99% [gentoo-dev] Idea about signing ebuilds Alexander Holler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox