Alan McKinnon <alan.mckinnon <at> gmail.com> writes:
> > This is retarded, and I'm too old to do that now, so I went shopping > > for some script/tool/code to do it for me. In fact, I do not know > > why the integrity check is not fully integrated into ftp. rsync. > > or whatever the download tool is? > Perhaps I'm just old and retarded myself, but portage already does what > you want. Well certainly portage is one common methods to download, and we can explore that thread. But, I was thinking more general. Late last night (too late) I decided to download 'lilblue'. I poked around on several gentoo mirrors and could not find it. So with my google hat on, I found it on a non typical (mirror) server. The download was slow (300K) so naturally, I became suspicious. I checked manually, but it was late and I was tired..... The download was kicked off from the web browser (seamonkey). Now that I think about it, there are a myriad of ways to download sources. What I was suggesting (inquiring?) is that a command line tool could be readily developed (if it did not already exist) to simple check any download against the published data (keys/hashes/etc) depending on what is in the local dir where the download lands (is stored). It could be used with protage files too. But why not just use a simple script: <scriptname> package.just.downloaded package.just.downloaded.DIGESTS But then I got to questioning the integrity of both the downloaded sources and the digest originating on the same server........ Probably not a good idea either? So the digest should come from elsewhere? Maybe pull the digest from a certificated (pontificated?) (gentoo controlled) server and not somebody's (low priority managed) public server. Or maybe a master list of digests (hashes) could be included on every (hardened) gentoo box? It seems *everything is hacked* now. Certainly the NSA has fessed up to that as have others. Sure it may be just "good business" but the brightest minds now days are mostly focused on security comprimises, particularly offensive strategies, imho. So it seems to me, there is probably a "fly in the ointment" common to what everyone is doing on a semi regular basis. To me this sort of (justified/unjustified) paranoia should be incorporated into the entire "hardened" effort at gentoo, imho, if not on a wider basis. So please continue the "protage" thread discussion, but also a wider thread concerning other source downloads. Afterall, *if" you can inject* into sources, which are then compiled, who checks under the under_garments? If you read about "The rat" the most secure implementation had/has tainted it's very soul. [1] curiously, James [1] http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/
