Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 106060 - ebuild digest is verified after following dependencies
Summary: ebuild digest is verified after following dependencies
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core - Interface (emerge) (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 147007
  Show dependency tree
 
Reported: 2005-09-15 06:04 UTC by Florian Friesdorf
Modified: 2007-01-19 00:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Friesdorf 2005-09-15 06:04:29 UTC
I can make changes to an ebuild, especially change its dependencies. emerge will report a digest 
verification error, however only after having already installed all dependencies. The digest of an ebuild 
seems to be check before merging it, not before processing it.

Reproducible: Always
Steps to Reproduce:
1.change dependency in an ebuild
2.emerge that ebuild
3.

Actual Results:  
It installed all dependencies and then reports an digest verification error

Expected Results:  
report the digest verification error before listening to what that false ebuild is telling it

Portage 2.0.51.22-r2 (default-linux/x86/2005.1, gcc-3.3.5, glibc-2.3.4.20041102-r1, 2.6.10 i686)
===============================================================
==
System uname: 2.6.10 i686 AMD Sempron(tm)   2200+
Gentoo Base System version 1.4.16
dev-lang/python:     2.3.5-r2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.4
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.18-r1
virtual/os-headers:  2.6.8.1-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-mcpu=athlon-xp -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/
qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-mcpu=athlon-xp -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://
pandemonium.tiscali.de/pub/gentoo/ http://gentoo.inode.at/ http://ftp.easynet.nl/mirror/gentoo/ 
http://ftp.snt.utwente.nl/pub/os/linux/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="x86 X509 alsa apache2 apm arts avi bash-completion berkdb bitmap-fonts crypt curl cyrus-
imapd:autocreate dnsdb eds emboss encode evms2 exiscan-acl flash foomaticdb fortran gdbm gif 
gstreamer imagemagick imap imlib javascript jbig jpeg lcms ldap libg++ libwww lmtp mad maildir 
mbox mcal memlimit mikmod mp3 mpeg mysql ncurses nls nntp nodrm ogg oggvorbis opengl oss pam 
pdflib perl pic png postgres python quicktime readline sasl sdl skey slp spell sse ssl syslog tcpd tiff 
truetype truetype-fonts type1-fonts unicode vhosts vorbis wildlsearch wmf xml xml2 xmms xv yaz zlib 
userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2005-09-15 07:15:12 UTC
There's nothing wrong with it as it is. When you change an ebuild you have to
recreate the digest, of course

Comment 2 Harald van Dijk (RETIRED) gentoo-dev 2005-09-15 07:37:53 UTC
If I'm understanding right, the point is not that emerge foo should work after
changing foo.ebuild, but that things like emerge -p foo should not work, while
that currently does work.
Comment 3 Florian Friesdorf 2005-09-15 18:45:21 UTC
I did the following:

ebuild1:
  depends ebuild2-v1

root# emerge ebuild1
  results in emergeing of ebuild2-v1 and then ebuild1 - fine

now I changed ebuild1:
  depends ebuild2-v2

root# emerge ebuild1
  results in emerging of ebuild2-v2 and then an error that the digest
verification of ebuild1 failed.


Of course, the error is correct, as I need to regenerate the digest, when I
change something. However, I think this failure message should already be
reported before any part of portage believes what is written in the ebuild.

Therefore - yes, it should already be checked with a -p

1. checking digests of ebuilds being merged directly (on command line)
2. checking digests of their dependencies
3. checking digests of the dependencies' dependencies
and so on
only if all ebuilds being involved have a valid digest, any action should be
taken, like displaying (with -p) or installing.

On second thought, probably it is enough, to first believe the ebuild for
building the dependency tree, but then before using this dependency tree any
further, its validity needs to be checked. However, I dont know what actions are
involved when building portage caches and similar. Maybe these operations should
also be protected from potentially malware ebuilds.

Reopened as it is not invalid.
Comment 4 Brian Harring (RETIRED) gentoo-dev 2005-09-16 05:03:00 UTC
Digest's are used for fetchables; they hold chksum information for those files.

If you mean manifest wise, which I assume to be the case since digest doesn't
hold ebuild chksums, manifest does ;), FEATURES="strict" should hork on the
first metadata pull (meaning, when portage goes to get DEPEND, during building
the depgraph).  So... check your features.
Comment 5 Harald van Dijk (RETIRED) gentoo-dev 2005-09-16 07:09:59 UTC
The reporter has strict in FEATURES, according to the included emerge --info
output, and I have it in mine.

sh-3.00# rm -r /var/cache/edb; emerge >/dev/null 2>&1
sh-3.00# emerge -pv xosview

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild   R   ] x11-misc/xosview-1.8.2-r1  0 kB 

Total size of downloads: 0 kB
sh-3.00# emerge xosview
Calculating dependencies ...done!
>>> emerge (1 of 1) x11-misc/xosview-1.8.2-r1 to /
>>> md5 files   ;-) xosview-1.8.2.ebuild

!!! Digest verification Failed:
!!!    /var/cvs/gentoo-x86/x11-misc/xosview/xosview-1.8.2-r1.ebuild
!!! Reason: Filesize does not match recorded size

>>> Please ensure you have sync'd properly. Please try 'emerge sync' and
>>> optionally examine the file(s) for corruption. A sync will fix most cases.

sh-3.00# emerge --info
Portage 2.0.52-r1 (default-linux/x86/2005.0, gcc-4.0.2-beta20050901,
glibc-2.3.5.20050421-r0, 2.6.13 i686)
=================================================================
System uname: 2.6.13 i686 AMD Duron(tm) Processor
Gentoo Base System version 1.12.0_pre8
dev-lang/python:     2.4.1-r1
sys-apps/sandbox:    1.2.13
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-tbird -Os -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env
/usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon-tbird -Os -fomit-frame-pointer -fvisibility-inlines-hidden"
DISTDIR="/var/dist"
FEATURES="autoconfig autopatch collision-protect cvs distlocks gpg noauto
notitles sandbox sfperms sign strict"
GENTOO_MIRRORS="        http://ftp.easynet.nl/mirror/gentoo    
http://distfiles.gentoo.org    
http://www.ibiblio.org/pub/Linux/distributions/gentoo "
LANG="en_GB.UTF-8"
LINGUAS="en en_GB ja nl"
MAKEOPTS="-j1"
PKGDIR="/var/pkg"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/var/cvs/gentoo-x86"
PORTDIR_OVERLAY="/etc/portage/cross /etc/portage/overlay
/etc/portage/overlay/gtk-webcore"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 3dnow 3dnowext X aac acl alsa berkdb bidi bitmap-fonts bzip2 cdparanoia
cjk crypt cups dlloader dri dvd dvdread encode erandom fbcon firefox flac gdbm
gif glx gtk gtk2 hal imagemagick imlib imlib2 immqt ipv6 ithreads jpeg kde
kdeenablefinal linuxthreads-tls lua lynxkeymap mad mbox mmx mmxext mozdevelop
mozsvg mp3 mpeg ncurses nls nntp noamazon nocxx nopie nossp nptl offensive ogg
oggvorbis oss pcre php pic png postgres ppds qt quicktime readline reiserfs rtc
slang spell ssl svg tcpd threads truetype-fonts type1-fonts unicode userlocales
vim-pager vorbis win32codecs wmf xface xine xml2 xvid zlib linguas_en
linguas_en_GB linguas_ja linguas_nl userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LC_ALL, LDFLAGS

Problem exists in 2.1 as well, but I downgraded portage to make sure it's not
just in 2.1.
Comment 6 Harald van Dijk (RETIRED) gentoo-dev 2005-09-16 07:20:49 UTC
Additionally:

sh-3.00# cat Manifest # any signed Manifest will make portage with FEATURES=gpg
happy, so I just copied something completely unrelated over
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MD5 671ecb9dd6d798154032a7085f1398ab ChangeLog 93667
MD5 3196c90905902891b12b4d08372c0eb5 gcc-2.95.3-r9.ebuild 7524
MD5 37f3db1694d592dc3a3db07507390b76 gcc-3.1.1-r2.ebuild 9270
MD5 c76df140331f7e3f907c329ee85d9477 gcc-3.2.2.ebuild 767
MD5 71b180bed94dca00dddf253f7bd6508f gcc-3.2.3-r4.ebuild 19841
MD5 3e3bc1c3e3953428824c0fd3f206c48b gcc-3.3.2-r7.ebuild 21757
MD5 1a84ea5c09067bb7da6c8959f13e2154 gcc-3.3.5-r1.ebuild 3777
MD5 9111df8f4b2d0f617ccc1ab9c7755d7f gcc-3.3.5.20050130-r1.ebuild 3209
MD5 8cfc5360d76544e8a27184903261f268 gcc-3.3.5.20050130-r2.ebuild 3209
MD5 dee257c0fea166229acee12767e65236 gcc-3.3.6.ebuild 3037
MD5 22583bfbc351f0715fefcf199efa7c79 gcc-3.4.1-r3.ebuild 31176
MD5 8ad652a1c6c3b0b27963da2a8684dfc7 gcc-3.4.3-r1.ebuild 5429
MD5 f3320fc6b7547238588e8d01266c7d1c gcc-3.4.3.20050110-r2.ebuild 5192
MD5 f5804f3b322c22138f87bca0b3b3a69c gcc-3.4.4-r1.ebuild 5010
MD5 040ce3a966ff6b910a65e218fdeb137f gcc-4.0.1.ebuild 1668
MD5 fd103c9ed79442ab91f70289116c0e1b gcc-4.0.2_pre20050913.ebuild 1947
MD5 567094e03359ffc1c95af7356395228d metadata.xml 162
MD5 f7e7042c2ddf66e344b30cbc66ebaf73 files/cc 24
MD5 80d122265d3062847a4a1b161abe1d26 files/cpp 24
MD5 4ecf0f5cb735c81ca4b61a9c6db74269 files/digest-gcc-2.95.3-r9 139
MD5 0d683280daf95e6bb9712549352a200c files/digest-gcc-3.1.1-r2 140
MD5 9bf3066b08fcf3297eb76fbfd33d18ee files/digest-gcc-3.2.2 137
MD5 40e6872c09149a81973f01a78c80bbb7 files/digest-gcc-3.2.3-r4 279
MD5 e58b6c1f3122b79a5d0d273acc3c008c files/digest-gcc-3.3.2-r7 361
MD5 a3edf5e9d8bb500178f8dd29c1f9eadd files/digest-gcc-3.3.5-r1 442
MD5 b29f3bde3e23f17cd9a9bb4a5b026ea1 files/digest-gcc-3.3.5.20050130-r1 620
MD5 9e216fb231a24884fe548b31864296b8 files/digest-gcc-3.3.5.20050130-r2 620
MD5 bc84418435b24e5c06f80f819e35b6fb files/digest-gcc-3.3.6 453
MD5 c6ea8a92bac6d2638c54c011f98bc5b8 files/digest-gcc-3.4.1-r3 442
MD5 e76a453a41518cf6a73123fe128c716f files/digest-gcc-3.4.3-r1 607
MD5 f0d6e8b1503f1745061639b642fb1911 files/digest-gcc-3.4.3.20050110-r2 616
MD5 397fee475b161984702afab06d76767c files/digest-gcc-3.4.4-r1 450
MD5 f0c74f849066ffaefe7d364d69a71961 files/digest-gcc-4.0.1 380
MD5 f0c9bda00475b05ced0fa0141f18cccb files/digest-gcc-4.0.2_pre20050913 389
MD5 1acd56209164ab837c5f91723434464e files/fix_libtool_files.sh 1712
MD5 f80fd6ebeeea00d3e1649dfccdd85062 files/gcc-spec-env.patch 893
MD5 8baffb486c75efe253bd2daa88daa7d6 files/gcc331_use_multilib.amd64.patch 352
MD5 e3193bdffb435b77a21bfb504ff6f591 files/mkinfodir 7324
MD5 ea2cf3df0d89a26d5fdc1a531176e395 files/pro-police-docs.patch 3287
MD5 07b57d62aa1a8cd4d1cd37984ebe2053 files/scan_libgcc_linked_ssp.sh 861
MD5 8ec9b0352d226e4693cabffe0fa5bba6
files/3.2.1/gcc31-loop-load-final-value.patch 3324
MD5 5e8f2122ef7f9ce187b0a0d50ac9d24a files/3.2.1/gcc32-arm-disable-mathf.patch 2229
MD5 044a164462d9392aa67cde6f9fd5c1bc files/3.2.1/gcc32-arm-reload1-fix.patch 932
MD5 38131a537835873acb08c415d27a013e files/3.2.1/gcc32-athlon-alignment.patch 509
MD5 7978d1aaf6bae19163e83c110dec1b38 files/3.2.1/gcc32-sparc32-hack.patch 2192
MD5 51719a174883702ef1851fac4cc79398 files/3.2.1/gcc32-strip-dotdot.patch 2071
MD5 ed5b074a1d34f4b30a0b1d3928be57e3 files/3.2.2/gcc-3.2.2-cross-compile.patch 479
MD5 9a67d782b2a574f77714b29675cbda62
files/3.2.2/gcc-3.2.2-no-COPYING-cross-compile.patch 1001
MD5 17f15202b98a8dd84d0f4b67eff2d868 files/3.2.2/gcc32-pr7768.patch 1789
MD5 9f5b59d7567b90894d8d32cf99f910cc files/3.2.2/gcc32-pr8213.patch 2036
MD5 465eeaf6008c25dc69ff502dc2a9d8e0 files/3.2.2/gcc322-ggc_page-speedup.patch 872
MD5 52ef1426cb70a472182503502b768058 files/3.2.3/gcc-3.2.3-mergel-fix.patch 2749
MD5 a3315d69ba1be0bc1518a75027896bf3
files/3.2.3/gcc-3.2.3-move-propolice-into-glibc.patch 3534
MD5 1f4f8ca52d2dda4a5dc3a9b8f130841c files/3.2.3/gcc-323-propolice-version.patch 700
MD5 c9c45dab64bab25e716859626ad7f94f
files/3.2.3/gcc32-c++-classfn-member-template.patch 3219
MD5 494d917cc15c81c9cead4a8c17d4d00d
files/3.2.3/gcc32-mklibgcc-serialize-crtfiles.patch 926
MD5 99db7c1a41babe024f0c6859c30a87ee files/3.2.3/gcc323-gentoo-branding.patch 2058
MD5 869b9a1ea49bf8b07c8405d2f1d76270
files/3.2.3/gcc323-hppa-default_assemble_visibility.patch 571
MD5 b398b7415b93423ff04952c6e69bdb4d files/3.3.1/gcc331-pp-fixup.patch 407
MD5 9e7ed6184a1cdcb69db29f1de26c2d18 files/3.3.2/gcc332-altivec-fix.patch 1607
MD5 d9ae122db2768f8e504dfef256d4991f files/3.3.2/gcc332-gentoo-branding.patch 874
MD5 ee700275f341541af37d56bd15dcf863 files/3.3.3/gcc-3.3.3-norelro.patch 606
MD5 ff6d7b5082c5e39fab8a5d8932c1a8b7 files/3.3.3/gcc-3.3.3-uclibc-add-ssp.patch 461
MD5 308a0e53f03e9cb74b3d12c2633cbee2 files/3.3.3/gcc-uclibc-3.3-loop.patch 433
MD5 9ba0bd0b103cf9535927ad7c482fe780 files/3.3.3/gcc333-debian-arm-getoff.patch 3501
MD5 25eda9981106a55c413d1df3d3a87db5 files/3.3.3/gcc333-debian-arm-ldm.patch 3383
MD5 3210d5fd70806c44d4426c3dceebd480
files/3.3.3/gcc333_pre20040408-stack-size.patch 653
MD5 5fb5b49f3f16cc9e7e27e582c92ffa2f files/3.3.4/libffi-without-libgcj.patch 890
MD5 7c29f54dd8d50385ac42fae65459c744
files/3.3.5/gcc-3.3.5-ffecom_gfrt_basictype-prototype.patch 538
MD5 184cb0a87ee2fa0197dec6f4902ef4c8
files/3.3.5/gcc-3.3.5-no-COPYING-cross-compile.patch 1192
MD5 c313cea9fdb0a3a796f7e869a471da80 files/3.3.6/gcc-3.3.6-cross-compile.patch 2018
MD5 17b3190d64e34ed7709d022b326d08ae
files/3.4.0/gcc-3.4.0-cc1-no-stack-protector.patch 563
MD5 4edccdf0b4f6dbbc9f7bc9370c255e0c files/3.4.0/gcc34-reiser4-fix.patch 587
MD5 cd770c23ece7458db5e6c5067f262ce0 files/3.4.1/gcc-3.4.1-glibc-is-native.patch 760
MD5 7cb2138ac2df6f8674d19974e966a45b files/3.4.1/gcc-3.4.1-mips-n32only.patch 614
MD5 aa8e15a63d797df37bbd4e489ed0267f files/3.4.1/gcc-3.4.1-mips-n64only.patch 614
MD5 14fec2000fc63536d4cf22195e88e14f
files/3.4.1/gcc-3.4.1-r2-gentoo-branding.patch 781
MD5 a720c913b78bcfbd7f63319130fadd4a files/3.4.2/810-arm-bigendian-uclibc.patch 1139
MD5 00cca5c6d608d147bf379a38fe3b2d45
files/3.4.2/gcc-3.4.2-mips-ip28_cache_barriers-v2.patch 14576
MD5 b2922cfe76692e7d2b373a0a255f405e
files/3.4.2/gcc-3.4.x-mips-add-march-r10k.patch 14248
MD5 f2395cf0f72d870e263d0dcec18fdd67 files/3.4.2/gcc34-fix-sse2_pinsrw.patch 1268
MD5 2c1ce849de55d8c81af4e081dbb2f5e4 files/3.4.2/gcc34-m32-no-sse2.patch 1058
MD5 0b31c7f32c0c28bafdd75c5c0dfc16a5 files/3.4.3/gcc-3.4.3-cross-compile.patch 2919
MD5 3f6d070c2a4a899e7d879fdb55eecba4 files/3.4.3/libffi-nogcj-lib-path-fix.patch
1691
MD5 007c62d92efd70fd44c4d2e6a326036b files/3.4.3/libffi-without-libgcj.patch 1658
MD5 7434140298091f759eba5e9706264130 files/3.4.3/libssp.patch 2029
MD5 50f1f564c568b9e28231c592d4df2f36 files/3.4.4/gcc-3.4.4-cross-compile.patch 1728
MD5 2c355d808b490994c6566b10f3c0ba27 files/3.4.4/gcc-3.4.4-softfloat.patch 5242
MD5 f8c48b2e721c21d83582f5884bfb79c7 files/awk/fixlafiles.awk 7830
MD5 c672adb59a1f452475ab0a864b9d1bd1 files/awk/scanforssp.awk 5830
MD5 0f8035bc5ae6126fd9380ba9dcdcc271 files/stubs/gcc-3.3-htb-stub.patch 2195
MD5 cb27bc36a5b9a1175a5f3bdf38647814 files/stubs/gcc-3.3-ssp-stub.patch 1735
MD5 053b213d6994cef2ad995aa516ed937a files/stubs/gcc-3.4-htb-stub.patch 722
MD5 d71c91009df788366867cb67fc875d6d files/stubs/gcc-3.4-ssp-stub.patch 1068
MD5 37e756238508fe9f9e2b9ba6a7ca67ca files/stubs/gcc-4.0-htb-stub.patch 722
MD5 d71c91009df788366867cb67fc875d6d files/stubs/gcc-4.0-ssp-stub.patch 1068
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDKaWKCRZPokWLroQRAq8MAJ9I4byJENFJLVkgpFjVc2tE3Uba+ACbBMtJ
A7980yEmFK3ur2pv828vnFQ=
=Z8Wi
-----END PGP SIGNATURE-----
sh-3.00# cat test-1.0.ebuild 
KEYWORDS="~x86"
export SANDBOX_ON="0"
touch /portage-has-a-bug
sh-3.00# ls /portage-has-a-bug
ls: /portage-has-a-bug: No such file or directory
sh-3.00# emerge -pv test/test

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild  N    ] test/test-1.0  0 kB [2] 

Total size of downloads: 0 kB
Portage overlays:
 [1] /etc/portage/cross
 [2] /etc/portage/overlay
 [3] /etc/portage/overlay/gtk-webcore
sh-3.00# ls /portage-has-a-bug
/portage-has-a-bug
Comment 7 Brian Harring (RETIRED) gentoo-dev 2005-09-16 11:35:31 UTC
Crud....
That message has a horrible name also.  it's digestCheck which is invoked during
doebuild... it should do size checks during portdb.aux_get checks.
Comment 8 Arne Babenhauserheide 2007-01-18 19:33:29 UTC
this is still active. 
It also means, files get downloaded and could get executed, before the manifest is checked, which is really bad. 

And this with FEATURES=strict! 

Someone who has the karma to do it, please set this bug to critical! 
Comment 9 Alec Warner (RETIRED) archtester gentoo-dev Security 2007-01-18 20:18:47 UTC
(In reply to comment #8)
> this is still active. 
> It also means, files get downloaded and could get executed, before the manifest
> is checked, which is really bad. 
> 
> And this with FEATURES=strict! 
> 
> Someone who has the karma to do it, please set this bug to critical! 
> 

using what version of portage...?
Comment 10 Arne Babenhauserheide 2007-01-18 23:17:56 UTC
Just checked it with portage-2.1.2 (testing). Seems solved. 

Detects wrong entries in the manifest (tested: missing files, wrong size, wrong md5; maybe checks other parameters, I didn't create a spoof with same md5-sum :) ). 

Thanks a lot to whoever did it! 
Comment 11 Zac Medico gentoo-dev 2007-01-19 00:04:58 UTC
(In reply to comment #0)
> I can make changes to an ebuild, especially change its dependencies. emerge
> will report a digest 
> verification error, however only after having already installed all
> dependencies. The digest of an ebuild 
> seems to be check before merging it, not before processing it.

portage-2.1.2 prevents that specific scenario since the timestamp on the ebuild would change and the digest of the ebuild is verified before sourcing it to generate metadata.