From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NzDS8-0008Jr-TN for garchives@archives.gentoo.org; Tue, 06 Apr 2010 18:24:45 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 02B9EE0C1D; Tue, 6 Apr 2010 18:24:23 +0000 (UTC) Received: from out3.smtp.messagingengine.com (out3.smtp.messagingengine.com [66.111.4.27]) by pigeon.gentoo.org (Postfix) with ESMTP id E69C2E0C1D for ; Tue, 6 Apr 2010 18:24:22 +0000 (UTC) Received: from compute2.internal (compute2.internal [10.202.2.42]) by gateway1.messagingengine.com (Postfix) with ESMTP id C647DEB08C for ; Tue, 6 Apr 2010 14:24:22 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute2.internal (MEProxy); Tue, 06 Apr 2010 14:24:22 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com; h=subject:from:to:in-reply-to:references:content-type:date:message-id:mime-version:content-transfer-encoding; s=smtpout; bh=VzDM8JZZgKkTje7Xpv82apJYK+I=; b=DBqo5fxxAjpv50fT5BHi6z/tlcGoXWVSj9OU2b/KivqT5DoDojwD6TZga29+Zu657ZjFQRVWqX3rqRdD2A+wdGy2WXrh/xAhUgPKnKSM10xyhjFsFs4UvXy9XBxL8wnosM38hhoXHnp3f9QxKEqBryOITPUSNv8avswSqXG5tYM= X-Sasl-enc: ecYlD98+2RB/hOE7rZq8srUeNn2rXmYYEIjG5aeKcnxe 1270578261 Received: from [192.168.0.139] (65.23.112.45.nw.nuvox.net [65.23.112.45]) by www.fastmail.fm (Postfix) with ESMTPSA id 7F78F4D4854 for ; Tue, 6 Apr 2010 14:24:21 -0400 (EDT) Subject: Re: [gentoo-user] Portage + checksums From: "Albert W. Hopkins" To: gentoo-user@lists.gentoo.org In-Reply-To: <8622C222D2FC9D499533B1EEF631D3930332DB4A02@IMCMBX1.MITRE.ORG> References: <8622C222D2FC9D499533B1EEF631D3930332DB4A02@IMCMBX1.MITRE.ORG> Content-Type: text/plain; charset="UTF-8" Date: Tue, 06 Apr 2010 14:24:16 -0400 Message-ID: <1270578256.32172.6.camel@necropolis> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.28.1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 3053574a-257d-4112-928b-7cdb02d53de2 X-Archives-Hash: 77c8b90a77f3625a57c8120f1e9e78b1 On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote: > How can I verify that the installed packages on a Gentoo system came > from the same source that was on a main rotation mirror and/or > =E2=80=9Cblessed=E2=80=9D by the Gentoo development team? =20 >=20 > =20 >=20 > By verifying the checksum located in /var/db/pkg/$APPNAME/CONTENTS am > I only confirming that the source was the same as that which was > downloaded from the mirror?=20 >=20 > =20 >=20 > I guess what I=E2=80=99m getting at is how can I be sure I can trust a > mirror? =20 >=20 > =20 >=20 > Thank you very much in advance for any insight provided, It really depends on your level of paranoia. Ultimately it can't be trusted at all. If you really want to be sure then just the source/manifest from your "trusted" mirror and compare.