begin quote On Sat, 18 Oct 2003 20:41:01 +0900 Jason Stubbs <[EMAIL PROTECTED]> wrote:
> Armchair dev here ;-) > > If the md5sum shows up as wrong would the following procedure be safe? > 1) Check if the file downloaded was taken directly from the site that > hosts the project. > 2) If it was then assume the md5sum in portage is wrong and create a > new digest. BLEEP. Wrong. The file on their ftp may well have been altered post checking by a dev. Or you could have a man in the middle / proxy that changes the data for you. > 3) Find a file with matching filename on the site that hosts the > project. This is where you hunt down -their- published GPG signature of the file, and compare with the one you downloaded. Or their published md5 sum. > 4) If the md5sum matches that file, use it to continue the > emerge. BLEEP, see post 2. > 5) If the md5sum of that file matches the md5sum of the file > downloaded from the mirrors, assume the md5sum in the portage tree is > wrong and create a new digest. Thats the danger again. > 6) All other cases, seek assistance/confirmation. > > I've never been one to just accept a statement like "don't do it > anyhow". > Actually, I've never been one to 'just' accept anything. ;-) > Well the main problem is that you can't be sure that it hasn't been modified upstream (see the irssi cases, the GNU Ftp or a few other such points where the ftp was compromised and their sources were modified post release) The best "track down" bet is to simply use a different mirror, or go upstream. hunt for a file that matches the md5sum in portage. //Spider -- begin .signature This is a .signature virus! Please copy me into your .signature! See Microsoft KB Article Q265230 for more information. end
pgp00000.pgp
Description: PGP signature
