On Mon, Aug 23, 2010 at 07:55:03PM +1200, Simon Geard wrote: > On Sun, 2010-08-22 at 19:03 -0500, Bruce Dubbs wrote: > > bendeguz wrote: > > > > > 2. This means it could be possible for some package to have > > > false checksums on the whole internet? > > > So you can't be absolutely sure, that you have downloaded a package > > > in the form the maintainer built it? > > > > It's possible, but quite unlikely. It would be discovered and all over > > the net pretty quickly. There are a lot of packages that have optional > > crypto signatures too. See e.g. openssl. > > More than just openssl - for almost everything in LFS itself, the > download sites provide GPG signatures, and it seems to be the norm for > anything hosted on kernel.org or gnu.org. When such signatures are > available, I make a point of checking them. > > Of course, GPG signatures don't mean anything either, if you don't make > some effort at verifying the keys they're signed with. It's not really > practical to verify them face-to-face with their owners, but I usually > throw the key ID into Google, and check that I get some hits on relevant > mailing lists. If there are messages from the developers citing that as > the correct key, it's probably good (assuming their server isn't > hopelessly compromised and the mailing list archives tampered with). > > Simon.
Well, while installing the base lfs and x I only checked the md5sums in the book. I hope it's enough. It would have taken a lot of time to check checksums at different places. I was glad I finished installing and I didn't go mad:) The gentoo portage tree has a "Manifest" file which contains the checksums of a package and it's all GPG signed. Thank you for the suggestions so far, let me now if you have more...:) > -- > http://linuxfromscratch.org/mailman/listinfo/blfs-support > FAQ: http://www.linuxfromscratch.org/blfs/faq.html > Unsubscribe: See the above information page -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
