checksums of packages
mailinglists00 at gmail.com
Mon Aug 23 14:19:57 PDT 2010
On Mon, Aug 23, 2010 at 07:55:03PM +1200, Simon Geard wrote:
> On Sun, 2010-08-22 at 19:03 -0500, Bruce Dubbs wrote:
> > bendeguz wrote:
> > > 2. This means it could be possible for some package to have
> > > false checksums on the whole internet?
> > > So you can't be absolutely sure, that you have downloaded a package
> > > in the form the maintainer built it?
> > It's possible, but quite unlikely. It would be discovered and all over
> > the net pretty quickly. There are a lot of packages that have optional
> > crypto signatures too. See e.g. openssl.
> More than just openssl - for almost everything in LFS itself, the
> download sites provide GPG signatures, and it seems to be the norm for
> anything hosted on kernel.org or gnu.org. When such signatures are
> available, I make a point of checking them.
> Of course, GPG signatures don't mean anything either, if you don't make
> some effort at verifying the keys they're signed with. It's not really
> practical to verify them face-to-face with their owners, but I usually
> throw the key ID into Google, and check that I get some hits on relevant
> mailing lists. If there are messages from the developers citing that as
> the correct key, it's probably good (assuming their server isn't
> hopelessly compromised and the mailing list archives tampered with).
Well, while installing the base lfs and x I only checked the md5sums
in the book. I hope it's enough. It would have taken a lot of time
to check checksums at different places. I was glad I finished installing
and I didn't go mad:)
The gentoo portage tree has a "Manifest" file which contains the checksums
of a package and it's all GPG signed.
Thank you for the suggestions so far, let me now if you have more...:)
> FAQ: http://www.linuxfromscratch.org/blfs/faq.html
> Unsubscribe: See the above information page
More information about the blfs-support