So to avoid "spamming" with 20+ Thank You emails I'll send out just one and
thank you all collectively for the information provided (I hope this isn't
rude - I'm not sure of proper protocol in this situation).  

I have a lot more insight now and some new ideas of where I need to look to
learn more.  This is a great community and it reflects in the OS - I don't
know why I waited so long to try Gentoo.(??)!
-john

-----Original Message-----
From: Jonas de Buhr [mailto:jonas.de.buhr@gmx.net] 
Sent: Wednesday, April 07, 2010 8:35 AM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Portage + checksums


>This was an argument against Gentoo more than six or seven years ago
>with regards to the security of whole portage system.  

Every package management system which uses hashes to verify integrity
has the same problems.

I think a lot of source tarballs are downloaded from the official sites
anyway. Someone really paranoid might manually check the patches.

>A number of
>suggestions were made in those early days, one of them being to sync
>with two mirrors and diff the ebuilds/Manifests/Distfiles affected by
>these two most recent syncs.  As far as I know people didn't go for
>this because it was perceived that the system as implemented was
>secure enough and anyway the proposed solution would put too much
>pressure on the mirrors.

I do not have the intention to restart the discussion you mentioned.
But getting hashes and tarballs from the same source (mirror) doesn't go
far for security. At the moment I just trust the official mirrors and
trust that the community would realize soon if there were trojaned
packages the same way I trust apache or the kernel devs not to do
anything funny.

But I still like the idea of files signed with asynchr. crypt. I sure
will have a look into "FEATURES=sign".

/jdb