On Saturday 24 June 2006 18:51, Jarry wrote:
> Anyway, I am still surprised a little. I thought sources
> of portage-packages are mirrored on gentoo-mirrors...

They are. If the package has just been added to the tree they may not have 
reached your mirror yet. If that is not the reason then it is probably a bug. 
The official mirror should be in the ebuild to tell the mirrors where to 
fetch it from and as a backup if it cannot be found on the Gentoo mirrors.

> It seems to me to be a little "insecure", to download
> mod_security from somewhere "from wild" instead of
> gentoo-mirrors or homepage. One can not be sure those
> sources have not been modified...

As long as you don't override a digest verification error you are safe. Beware 
of those who tell you to override a digest verification error by running:

# ebuild $ebuild digest

or:

# emerge --digest $pkg

-- 
Bo Andresen