I think this has been brought up many times before, but as most of us know, many of the debian servers have been compromised recently. This has reinstated fear into many people about how "trustful" our distfile repositories really are. If indeed one is compromised it would be too easy for someone to slip a backdoor into a package, especially since I and a lot of other gentoo users simply ignore md5 checksums. If a digest fails we simply ebuild foo.ebuild digest it again. I think an option should be made that would allow failing packages if gpg fails. (I think Redhat does something like this) This of course is not a fool proof way, but a big improvement over what is currently done to ensure package integrity.
Yi
signature.asc
Description: This is a digitally signed message part
