On 05/07/2014 08:59 AM, Alan McKinnon wrote: > >>>> Verifying ebuild manifests > >>>> Emerging (1 of 1) app-doc/mysql-refman-5.5::alan > !!! Previously fetched file: > '/var/distfiles/refman-5.5-en.html-chapter.tar.gz' > !!! Reason: Failed on SHA256 verification > !!! Got: > 2eb9f21b4bc88b89a05e28b8a25ec221d36677ee13f2733c1dd1d0d28e81ad0d > !!! Expected: > 2eb9f21b4bc88b89a05e28b8a25ec221d36677ee13f2733c1dd1d0d28e81ad0e > Refetching... File renamed to > '/var/distfiles/refman-5.5-en.html-chapter.tar.gz._checksum_failure_.1s4y_D'
This relies on two things. First, that the maintainer got the right tarball and actually verified the upstream signature (one can hope). Second, that the manifest you got wasn't modified by an evil mirror. It's possible for maintainers to sign the manifest with their GPG keys, but not required at the moment. Once signed manifests are ubiquitous, we'll be able to automatically verify the signatures... somehow. There are other problems though. Like the fact that the eclasses are unsigned, and can do whatever they want to an ebuild. There are GLEPs for some of this stuff, and 63 was just finalized, but I'm not sure about the state of the rest of them.
