Joined: 21 Nov 2002
|Posted: Thu Nov 21, 2002 6:26 am Post subject: Package Integrity/Validation Process
|I am curious about the package submission process as it pertains to the integrity of the packages that are available in the portage tree.
I'm aware of the digest function, which is good for ensuring that packages are indeed unchanged from what was uploaded by the package maintainer. However, my question goes beyond that.
- Do all packages use digesting, or is it considered optional?
- What process is used to ensure the integrity of the original sources? Is there any validation as to it's integrity prior to creating ebuilds? Is it validated as free from trojans or other compromises? Case in point would be the recent openssh problems.
- Is there any check process in place to verify packages from a given maintainer are good? For example, what's to stop someone from becoming a package maintainer and effectively maintaining their own army of compromised gentoo systems? I guess this also begs the next question...
- Is there any mechanism in place to validate/verify maintainer credibility?