8595 – Does Gentoo's package system use digital signatures?

Bug 8595 - Does Gentoo's package system use digital signatures?

Summary: Does Gentoo's package system use digital signatures?

Status:	RESOLVED INVALID

Alias:	None

Product:	[OLD] Docs-user
Classification:	Unclassified
Component:	Gentoo Linux FAQ (show other bugs)
Hardware:	All Linux

Importance:	High enhancement (vote)
Assignee:	Docs Team

URL:
Whiteboard:
Keywords:

Depends on:	5902
Blocks:
	Show dependency tree

Reported:	2002-09-30 20:09 UTC by Keunwoo Lee
Modified:	2002-10-03 23:42 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Keunwoo Lee 2002-09-30 20:09:41 UTC

This item is not in the Gentoo user FAQ.  If you're even modestly paranoid 
about security, it's important that packages you download off the net be signed 
with digital signatures.  MD5 only verifies that the packages have not been  
accidentally corrupted during transmission.  A peek at the portage Python  
sources in webcvs reveals that it checks md5sums but doesn't appear to have any  
facility for digital signatures.  So, does Gentoo's package system verify that  
packages are digitally signed before building them?

Comment 1 SpanKY gentoo-dev

2002-09-30 21:36:37 UTC

it only uses md5sums atm

Comment 2 John Davis (zhen) (RETIRED) gentoo-dev

2002-10-01 07:25:32 UTC

Should this be added to the FAQ?


//ZhEN

Comment 3 John Davis (zhen) (RETIRED) gentoo-dev

2002-10-03 23:42:54 UTC

This is not really an enhancement. I am closing it.

//ZhEN