Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Package Integrity/Validation Process
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message

Joined: 21 Nov 2002
Posts: 2

PostPosted: Thu Nov 21, 2002 6:26 am    Post subject: Package Integrity/Validation Process Reply with quote

I am curious about the package submission process as it pertains to the integrity of the packages that are available in the portage tree.

I'm aware of the digest function, which is good for ensuring that packages are indeed unchanged from what was uploaded by the package maintainer. However, my question goes beyond that.

- Do all packages use digesting, or is it considered optional?

- What process is used to ensure the integrity of the original sources? Is there any validation as to it's integrity prior to creating ebuilds? Is it validated as free from trojans or other compromises? Case in point would be the recent openssh problems.

- Is there any check process in place to verify packages from a given maintainer are good? For example, what's to stop someone from becoming a package maintainer and effectively maintaining their own army of compromised gentoo systems? I guess this also begs the next question...

- Is there any mechanism in place to validate/verify maintainer credibility?

Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum