MD5 checksums to ensure delivered package integrity?

aaronpawlak

Hello,

 

I hope for some assistance .I have been given to understand that Portage may be configured to execute SHA-level package verification upon receipt as a matter of course. Is this true; or does this system rely exclusively upon MD5 checksums to ensure delivered package integrity?

Relatedly, how are received packages verified at the Gentoo side before redistribution to end-user installations?

Next, what vetting is required regarding individuals involved in the chain of custody for packages which are distributed ? .I checked many firewall configuration explainer videos but did not find any solution to my problem.Please help me out.

 

Any help will be appreciated.
Thank you.

MJ-perComp

The MD5 is not a "proof of origin" but a quick checksum to see if the downloaded was done without errors. If an attacker would be able to replace the file he would also be able to modify the file containing the MD5.

 

But even if he would try to replace the file with a rugue one, that has the same MD5 his effort to find a match would still be "tough", SHA256 would make it hard, but then the above is still true.

 

So for the purpose the MD5 is fine - having both values available would at least stop this question to become a FAQ.