From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NzF9R-0001mq-0v for garchives@archives.gentoo.org; Tue, 06 Apr 2010 20:13:33 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C7329E0D7A; Tue, 6 Apr 2010 20:12:41 +0000 (UTC) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by pigeon.gentoo.org (Postfix) with SMTP id BE6A0E0D7A for ; Tue, 6 Apr 2010 20:12:39 +0000 (UTC) Received: (qmail invoked by alias); 06 Apr 2010 20:12:38 -0000 Received: from e181232105.adsl.alicedsl.de (EHLO toxic.dbnet) [85.181.232.105] by mail.gmx.net (mp072) with SMTP; 06 Apr 2010 22:12:38 +0200 X-Authenticated: #351132 X-Provags-ID: V01U2FsdGVkX190HgR0jal0DmzkHW4nYY2zAMdLNKa/GJAeKrjClK K95244WHRztO8Z Date: Tue, 6 Apr 2010 22:10:17 +0200 From: Jonas de Buhr To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Portage + checksums Message-ID: <20100406221017.78fc1676@toxic.dbnet> In-Reply-To: <8622C222D2FC9D499533B1EEF631D3930332DB4A6F@IMCMBX1.MITRE.ORG> References: <8622C222D2FC9D499533B1EEF631D3930332DB4A02@IMCMBX1.MITRE.ORG> <1270578256.32172.6.camel@necropolis> <8622C222D2FC9D499533B1EEF631D3930332DB4A6F@IMCMBX1.MITRE.ORG> X-Mailer: Claws Mail 3.7.5 (GTK+ 2.18.7; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.67000000000000004 X-Archives-Salt: 3464077b-0af9-4834-a4b1-db77e0201a75 X-Archives-Hash: f6b726cf9977d317ce45204f91d6c7b6 Hi! >Do you know if someone makes a change to a copy of apache hosted on a >public mirror, will the sync between the servers determine that it's >corrupted (via 'bad' checksum) on the public side and replace it? I'm not sure how gentoo mirrors do the syncing but in a lot of cases an error like this would show up on the downloading (client-/mirror-) side which wont help you at all if you don't trust the mirror. The way I undestand this a problem is that any mirror may simply regenerate hash values like RMD160 or SHA1 for modified sourcefiles. If you don't compare them to those from a trusted server you will never know. So a general aproach to this may be that some gentoo core team would sign everything with one (or a set of) private key(s) of some kind and publish the corresponding public key(s) on their website and with the install images. The signature could easily be copied to mirrors but not regenerated for changed sourcefiles. However that would be a lot more work for the gentoo developers since *few* (else it's pointless) trusted people with access to the private key would have to approve every single update for every arch and compare every source tarball to a trusted one. Maybe you could run your own mirror and sync it to a trusted one? Bye, jdb