On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote: > How can I verify that the installed packages on a Gentoo system came > from the same source that was on a main rotation mirror and/or > “blessed” by the Gentoo development team? > > > > By verifying the checksum located in /var/db/pkg/$APPNAME/CONTENTS am > I only confirming that the source was the same as that which was > downloaded from the mirror? > > > > I guess what I’m getting at is how can I be sure I can trust a > mirror? > > > > Thank you very much in advance for any insight provided,
It really depends on your level of paranoia. Ultimately it can't be trusted at all. If you really want to be sure then just the source/manifest from your "trusted" mirror and compare.
