Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 8595

Summary: Does Gentoo's package system use digital signatures?
Product: [OLD] Docs-user Reporter: Keunwoo Lee <klee>
Component: Gentoo Linux FAQAssignee: Docs Team <docs-team>
Status: RESOLVED INVALID    
Severity: enhancement CC: mholzer
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 5902    
Bug Blocks:    

Description Keunwoo Lee 2002-09-30 20:09:41 UTC 
This item is not in the Gentoo user FAQ.  If you're even modestly paranoid 
about security, it's important that packages you download off the net be signed 
with digital signatures.  MD5 only verifies that the packages have not been  
accidentally corrupted during transmission.  A peek at the portage Python  
sources in webcvs reveals that it checks md5sums but doesn't appear to have any  
facility for digital signatures.  So, does Gentoo's package system verify that  
packages are digitally signed before building them?
Comment 1 SpanKY gentoo-dev 2002-09-30 21:36:37 UTC 
it only uses md5sums atm
Comment 2 John Davis (zhen) (RETIRED) gentoo-dev 2002-10-01 07:25:32 UTC 
Should this be added to the FAQ?


//ZhEN
Comment 3 John Davis (zhen) (RETIRED) gentoo-dev 2002-10-03 23:42:54 UTC 
This is not really an enhancement. I am closing it.

//ZhEN