# Portage tree security?

## D-LINC

Question relating to the security of the Portage infrastructure: How does one know that the Portage snapshot (or deltas) downloaded from a mirror are the same as those originally provided by the Gentoo team? (I.e., that they haven't been compromised at the mirror.)

----------

## John R. Graham

You can get the GPG signatures for the snapshots from the mirrors. Of course, this begs the question, how do you know you can trust the agent that signs the snapshots? Full Portage tree and process security is a non-trivial problem and is an early work in process. See GLEPs 57, 58, and 59.

- John

----------

## ryao

emerge-webrsync is supposed to be protected by PGP signing, although I never looked at it in depth to confirm that.

----------

