| |||||||||||||
Arch Linux and (the lack of) package signingArch Linux and (the lack of) package signingPosted Mar 24, 2011 15:50 UTC (Thu) by tetromino (subscriber, #33846)In reply to: Arch Linux and (the lack of) package signing by hickinbottoms Parent article: Arch Linux and (the lack of) package signing
> Unless I'm out of date I believe Gentoo has also always suffered this, and continues to do so.
You are many years out of date :) Gentoo's portage has had the ability to use GPG to sign and verity package manifests since 2004: http://www.gentoo.org/news/20041021-portage51.xml
What is true is that there seems to be no policy requiring Gentoo developers to sign manifests, and as a result, many developers never bother to do so and thousands of packages remain unsigned.
(Log in to post comments)
Gentoo package signing Posted Mar 24, 2011 16:39 UTC (Thu) by alex (subscriber, #1355) [Link]
So I assume if old packages aren't signed portage will either allow them or refuse to install them depending on the level of the feature?
/me makes a note to enable the gpg feature.
Arch Linux and (the lack of) package signing Posted Mar 24, 2011 16:46 UTC (Thu) by hickinbottoms (subscriber, #14798) [Link]
> You are many years out of date :)
I suspected as much! However, I looked into this feature today and it doesn't appear to be enabled in the currently marked-stable portage (on my system, at least):
> # emerge ...whatever...
Still, as you say it counts for little if most of the software isn't signed by the mai
Arch Linux and (the lack of) package signing Posted Mar 24, 2011 19:48 UTC (Thu) by vapier (subscriber, #15768) [Link]
hmm, should be trivial to start enforcing manifest signing in the main tree. it's trivial to setup keys after all.
$ find *-* -maxdepth 2 -name Manifest | wc -l
that is fairly abysmal ...
|
|||||||||||||