paranoid at gentoo
Nov 12, 2004, 12:00 AM
Post #4 of 4
(585 views)
Permalink
|
On Mon, 8 Nov 2004, Peter Simons wrote:
> Ervin Németh writes:
>> How about this: the developers have to sign the files
>> they upload, but do this before they upload them?
>
> I believe that it is practically unfeasible to verify the
> signatures of dozens of people which are spread over dozens
> of different directories. By building the signatures into
> Portage only, you require the user to have a working Gentoo
> system before he can verify he has a _real_ Gentoo system.
> When Portage runs the checks, it is too late. You have to be
> able to verify the authenticity of your downloaded files
> before you start the first executable you've downloaded.
> That's why I am in favor of a simple, ordinary text file
> which is GPG-signed and contains ordinary hashes.
Before you have a Gentoo system, you need to download a Gentoo CD image,
or you need to get a Gentoo CD. The Gentoo CD images can be signed
themselves, so you can verify it before it is extracted.
After you've booted with the install image, it's too late - how do you
trust the software on the install disk, if you haven't checked it
already?
Is there a way you can install Gentoo without using an install image?
Well, I know one, but it basically would be 'download portage code,
check signature, install code, run code'. I don't see the problem. The
only way I'd see a problem here is if the user didn't have cryptographic
checking software already, in which case it isn't a problem, because the
user is trusting everything. (That is, there's nothing you can do to
assure them of the Gentoo package authenticity, so there's no need to
worry about it.)
Ed
|
