[tor-dev] TBB Gentoo ebuild
Mansour Moufid
mansourmoufid at gmail.com
Sun Aug 12 20:56:23 UTC 2012
On 2012-08-12, at 3:36 PM, Alessandro Di Federico wrote:
> On Sun, 2012-08-12 at 15:11 -0400, Mansour Moufid wrote:
>> Portage offers no authentication and no confidentiality.
>
> Each file has a SHA-256, SHA-512 and Whirlpool hash associated. This
> hashes are in Portage, and if you're a security-aware user (as most of
> Gentoo users are) you can get it in a secure way, which means
> PGP-signed.
>
> Take a look at the handbook:
> http://www.gentoo.org/doc/en/handbook/2008.0/handbook-x86.xml?part=2&chap=3#doc_chap6
Portage uses rsync to get the ebuild and Manifest (signed hashes) from
mirrors, which, along with anyone in between, can send you bogus ebuilds
with whatever Manifest.
Even with webrsync you still have to trust the mirror(s), and then the
Gentoo release infrastructure...
Getting TBB from tp.o with Chrome is end-to-end and secure.
Anyway, good luck.
Mansour
More information about the tor-dev
mailing list