From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-109660-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1NzDK3-0007UF-Hk
	for garchives@archives.gentoo.org; Tue, 06 Apr 2010 18:16:25 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 1CD44E0BD0;
	Tue,  6 Apr 2010 18:15:11 +0000 (UTC)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191])
	by pigeon.gentoo.org (Postfix) with ESMTP id E502FE0BD0
	for <gentoo-user@lists.gentoo.org>; Tue,  6 Apr 2010 18:15:10 +0000 (UTC)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1])
	by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o36IFAfK024344
	for <gentoo-user@lists.gentoo.org>; Tue, 6 Apr 2010 14:15:10 -0400
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74])
	by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o36IFAfC024338
	for <gentoo-user@lists.gentoo.org>; Tue, 6 Apr 2010 14:15:10 -0400
Received: from IMCMBX1.MITRE.ORG ([129.83.29.204]) by imchub2.MITRE.ORG
 ([129.83.29.74]) with mapi; Tue, 6 Apr 2010 14:15:10 -0400
From: "Butterworth, John W." <jbutterworth@mitre.org>
To: "gentoo-user@lists.gentoo.org" <gentoo-user@lists.gentoo.org>
Date: Tue, 6 Apr 2010 14:15:09 -0400
Subject: [gentoo-user] Portage + checksums 
Thread-Topic: Portage + checksums 
Thread-Index: AcrVtRd3G6pDX4J3SRyCY0SL0nWCLQ==
Message-ID: <8622C222D2FC9D499533B1EEF631D3930332DB4A02@IMCMBX1.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
	micalg=SHA1; boundary="----=_NextPart_000_0065_01CAD593.90683E20"
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
X-Archives-Salt: d63a01a0-7270-4edd-8efc-a007b18794a5
X-Archives-Hash: 100842439582d6413a991f8bea789159

------=_NextPart_000_0065_01CAD593.90683E20
Content-Type: multipart/alternative;
	boundary="----=_NextPart_001_0066_01CAD593.90683E20"


------=_NextPart_001_0066_01CAD593.90683E20
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

How can I verify that the installed packages on a Gentoo system came from
the same source that was on a main rotation mirror and/or "blessed" by the
Gentoo development team?  

 

By verifying the checksum located in  /var/db/pkg/$APPNAME/CONTENTS am I
only confirming that the source was the same as that which was downloaded
from the mirror? 

 

I guess what I'm getting at is how can I be sure I can trust a mirror?  

 

Thank you very much in advance for any insight provided,

-john  


------=_NextPart_001_0066_01CAD593.90683E20
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal>How can I verify that the installed packages on a =
Gentoo
system came from the same source that was on a main rotation mirror =
and/or &#8220;blessed&#8221;
by the Gentoo development team? &nbsp;<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>By verifying the checksum located in =
&nbsp;/var/db/pkg/$APPNAME/CONTENTS
am I only confirming that the source was the same as that which was =
downloaded from
the mirror? <o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>I guess what I&#8217;m getting at is how can I be =
sure I can
trust a mirror?&nbsp; <o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>Thank you very much in advance for any insight =
provided,<o:p></o:p></p>

<p class=3DMsoNormal>-john &nbsp;<o:p></o:p></p>

</div>

</body>

</html>

------=_NextPart_001_0066_01CAD593.90683E20--

------=_NextPart_000_0065_01CAD593.90683E20
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKxzCCA2Qw
ggJMoAMCAQICAQEwDQYJKoZIhvcNAQEFBQAwWjESMBAGA1UEChMJbWl0cmUub3JnMR4wHAYDVQQL
ExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJDAiBgNVBAMTG01JVFJFIENvcnBvcmF0aW9uIFJvb3Qg
Q0EtMTAeFw0wNjA2MDEwNDAwMDBaFw0xODA2MDEwNDAwMDBaMFoxEjAQBgNVBAoTCW1pdHJlLm9y
ZzEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSQwIgYDVQQDExtNSVRSRSBDb3Jwb3Jh
dGlvbiBSb290IENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCva1qWPZiEJv5v
MtCbjt0cTu0Nbn15Q1cKqQBXKi8VSH9zZPmPxfWizJJ7JSqFJ5/sLUz3NsnUVjpLYBdFcxNXnOLj
XtmDPFOewm5T98NZc9wRRCiDzt4f8qsHFI19ShPiK3cN5UqtJf+i66QVLA1S6CNL6o2eGAsAl5Wn
xwOh2BfcWU5fNlHDVc9KKAlDDWpHjC2LLHAUbLP4ZzMIJKcLgLKFMtgM2AEfaSHzmi7WUdUHRCtC
blrF7qzPsy/jBLFrr8VcX+mb7saq95pEOilgcix0/naW7kJfM5ph7UBB+S1O/OhH+ZjQ4MjWnwE8
A/YDrQx1OVLAOi29Bsho/l8lAgMBAAGjNTAzMBIGA1UdEwEB/wQIMAYBAf8CAQMwHQYDVR0OBBYE
FMdwUQDYTf7kAdRolsU9n5qX/nQvMA0GCSqGSIb3DQEBBQUAA4IBAQAa+fVfCljimBlcfWwkfJXu
XNKWun9xloFKjnq6SPGgAIKi5LUDil60a0NaNGoGSO3I1xzYt7ncayh21qXulcVTDFqubSJdv51a
HTuJYcYUX72LN/gSq03UVLBCJzYm7ZLUlkb2YLo7xUeZ3coLFcT5AHR36kjG4cYHqXgH0liBl8jx
pN0gwgaci4sgPLUj1w4t8zoKH+zxGFwXwTP/P+etQqiJZ5T00fLLm5kz9mmnxxmmIvUGNdsCAhGh
dnF24pcrR43LNgyOBJ9DPUHBNq3kUQRO48WBKxBxflOtKzsICx/HEtIABcZn7deADHcY9spULZfB
nQYdEpyz5tgh7Y2qMIIDczCCAlugAwIBAgICNqswDQYJKoZIhvcNAQEFBQAwXTESMBAGA1UEChMJ
bWl0cmUub3JnMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJzAlBgNVBAMTHk1JVFJF
IENvcnBvcmF0aW9uIFByaW1hcnkgQ0EtMTAeFw0wOTEyMzExMzAwMTBaFw0xMTA2MjQxMzAwMTBa
MGExEjAQBgNVBAoTCW1pdHJlLm9yZzEPMA0GA1UECxMGcGVvcGxlMRwwGgYKCZImiZPyLGQBARMM
amJ1dHRlcndvcnRoMRwwGgYDVQQDExNCdXR0ZXJ3b3J0aCBKb2huIFcuMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDRAyWz2mixPG4X7ZTgzALAg1vsVs1UicnK+eiKbgnguap1apDTLEoLPk3A
BO14Sn8RFW5Jtbv1q1SCqOT8bmRkCLZFcYmqMzso6KTahUgiVZpaScRVudLzPCVinVAPM/fmYmpq
NWMh5f/7ZzsHRX6pgJz6XltOBb/7OfdMRxJpzQIDAQABo4G8MIG5MA4GA1UdDwEB/wQEAwIF4DAd
BgNVHQ4EFgQUzBO0xWTB+4zikGqtaFvzVj18yxcwHwYDVR0jBBgwFoAUh7QPSI1iM0LBLVEaSB7C
nrsKsa0wRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL3d3dy5taXRyZS5vcmcvdGVjaC9taWkvcGtp
L2NhMV9taXRyZV9vcmcuY3JsMCEGA1UdEQQaMBiBFmpidXR0ZXJ3b3J0aEBtaXRyZS5vcmcwDQYJ
KoZIhvcNAQEFBQADggEBAFtOKmRxkXlO306Eblhwb7ITPu/uNt61JzfZAWmmj6PBwZGIO/PRRkyg
2ZfY3BXZGKNvo8opmpfdbYMVZqtHs9mNmK4KRzrxx3RMVXFH1i65jbHOc8nsz+ABtB2A+lRhqvlU
n0k9hsFKzEAZDW6sM1ENzHjifdoupvEj0TnSP5jNJWL2HR9bui3pkKTDA1s+S4zKigJJG/956Fai
TwQ1mlXz0QccP0P49RUA0+OTgcyPGJQSp2iwry8IJ1Xc/bpbjFSclUUvqogynE3xYDD8H9cXlI0N
OP0cbOduWUQGwUQAhuZWo0cRvZIF6YWUySl69ETcSqJaFrpGy6ve4eJm5zUwggPkMIICzKADAgEC
AgEFMA0GCSqGSIb3DQEBBQUAMFoxEjAQBgNVBAoTCW1pdHJlLm9yZzEeMBwGA1UECxMVQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MSQwIgYDVQQDExtNSVRSRSBDb3Jwb3JhdGlvbiBSb290IENBLTEwHhcN
MDYwNjAzMTcxMzIyWhcNMTIwNjAzMTcxMzIyWjBdMRIwEAYDVQQKEwltaXRyZS5vcmcxHjAcBgNV
BAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEnMCUGA1UEAxMeTUlUUkUgQ29ycG9yYXRpb24gUHJp
bWFyeSBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyPB7Vl0QgqgQt0u8Q2du
Rs7eZUPnhlflKPFPMXGG+iqGpImYs6nfbFPsn0q8FqklFsm/UEV2JJQ3c7Srwfrqe9CrCbVFh761
OxZI7fnUWiUasNP2ING19aAfrQ8IoJsAEtGzHeIacS+M5CN4C0yfUC6CpBZTc9ZldjLUatvJr407
K1i+7WnrRsMVKhICfgmiO/XiVR9YeXyzeRqFrLy6YtJCJuJd0QRfwKtKRpek5oU67Izr7ClHDtPJ
s7UOTjMYBS2fTzztC+wwOTp6+A3ZbEymuQcAZRwmGkjVBe2R8MiX26R02Iigz+903ZAL/6bpvx0D
nkrlR2UFr1KBGfBqmQIDAQABo4GxMIGuMBIGA1UdEwEB/wQIMAYBAf8CAQIwDgYDVR0PAQH/BAQD
AgGGMB0GA1UdDgQWBBSHtA9IjWIzQsEtURpIHsKeuwqxrTAfBgNVHSMEGDAWgBTHcFEA2E3+5AHU
aJbFPZ+al/50LzBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vd3d3Lm1pdHJlLm9yZy90ZWNoL21p
aS9wa2kvcm9vdGNhMV9taXRyZV9vcmcuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBNbm7rrins3SIC
PbteX9qSN1+RJClqix/pw3IAe7u60LK0V9jVZ9E2a+c0MZiSojdcwU5rXxI2OI2wwIf6wVBo76jI
Oc+IiQRlC+V8YatGmoibqP/8WDPzlud/WQAzkjrU2nuh8KdyJG+n1kH/6772Lbra2CIk8mu8Fype
aB5P2uIJzdE+PGo82ZiyU680ukiJ9yF6UmEXuciB77tGQBRxMl6ePzIrArQnf48SmBhFD5XYLrau
eOiG7E+AzD99ig1M6WHcxWXtp3DIrVqE/DZr146NJaCWqg9NoE14cmpEllnpWLtLnn5UBYJ+QCoz
mbe1SJXOOynZ0VxMnGdh7NqgMYICvTCCArkCAQEwYzBdMRIwEAYDVQQKEwltaXRyZS5vcmcxHjAc
BgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEnMCUGA1UEAxMeTUlUUkUgQ29ycG9yYXRpb24g
UHJpbWFyeSBDQS0xAgI2qzAJBgUrDgMCGgUAoIIBsDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB
MBwGCSqGSIb3DQEJBTEPFw0xMDA0MDYxODE1MDlaMCMGCSqGSIb3DQEJBDEWBBSq1Bp1B/D+PcQ/
YzqDZHMkj05nzTBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN
BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0C
BTByBgkrBgEEAYI3EAQxZTBjMF0xEjAQBgNVBAoTCW1pdHJlLm9yZzEeMBwGA1UECxMVQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MScwJQYDVQQDEx5NSVRSRSBDb3Jwb3JhdGlvbiBQcmltYXJ5IENBLTEC
AjarMHQGCyqGSIb3DQEJEAILMWWgYzBdMRIwEAYDVQQKEwltaXRyZS5vcmcxHjAcBgNVBAsTFUNl
cnRpZmljYXRlIEF1dGhvcml0eTEnMCUGA1UEAxMeTUlUUkUgQ29ycG9yYXRpb24gUHJpbWFyeSBD
QS0xAgI2qzANBgkqhkiG9w0BAQEFAASBgDnTnOJl9/7kQprPoVLUDjaKMM6etovk6NC/TWPgO4zf
4V8mAexPpfwZ20Rzv055d3Ctmxcz36OHLjFdXpC9JDC9rfjEIHVzkuEzCHtWIZ8mojYxLksjy7Xr
CbhzKrWZtsRLvcfF/C56zBa2oqMRDDno2f4mXotqI5CBCJIHujMNAAAAAAAA

------=_NextPart_000_0065_01CAD593.90683E20--