On Tuesday 06 April 2010 20:56:30 Butterworth, John W. wrote: > Thanks. > > Do you know if someone makes a change to a copy of apache hosted on a > public mirror, will the sync between the servers determine that it's > corrupted (via 'bad' checksum) on the public side and replace it?
I can answer this, I run a public Gentoo mirror (not an official one) If I, or some clown, loads a trojaned copy of Apache source code into my distfiles mirror, portage will complain bitterly because the hash in the manifest will fail. Then you will know something is wrong. If I trojan the ebuild and the portage tree to match my trojaned sources, you will probably not pick it up. This would be very risky indeed for me to do as I can't be sure you will sync the tree and get your distfiles from me. You can check if my portage tree is up to date and how often I sync it by comparing timestamps between me and upstream master at gentoo.org. In my case, any trojans I host will get overwritten by gentoo.org masters every 12 hours. Except if I have a sneaky --exclude in my rsync command, or my cron syncs and then puts the trojan back. It's not quite as simple as that, but the above will suffice what someone already said: You cannot completely 100% trust a public mirror, or even gentoo.org for that matter. I know I don't pull sneaky stunts with my mirror but I can't prove that to you. I trust upstream to always do the right thing and I hope you feel you can trust me likewise. But if you don't, I have no choice but to accept your wishes and leave you to run whatever checksum comparisons you feel are appropriate for your needs. > > -john > > -----Original Message----- > From: Albert W. Hopkins [mailto:mar...@letterboxes.org] > Sent: Tuesday, April 06, 2010 2:24 PM > To: gentoo-user@lists.gentoo.org > Subject: Re: [gentoo-user] Portage + checksums > > On Tue, 2010-04-06 at 14:15 -0400, Butterworth, John W. wrote: > > How can I verify that the installed packages on a Gentoo system came > > from the same source that was on a main rotation mirror and/or > > “blessed” by the Gentoo development team? > > > > > > > > By verifying the checksum located in /var/db/pkg/$APPNAME/CONTENTS am > > I only confirming that the source was the same as that which was > > downloaded from the mirror? > > > > > > > > I guess what I’m getting at is how can I be sure I can trust a > > mirror? > > > > > > > > Thank you very much in advance for any insight provided, > > It really depends on your level of paranoia. Ultimately it can't be > trusted at all. > > If you really want to be sure then just the source/manifest from your > "trusted" mirror and compare. -- alan dot mckinnon at gmail dot com
