Gentoo Archives: gentoo-amd64

From: Mark Knecht <markknecht@×××××.com>
To: gentoo-amd64@l.g.o
Subject: Re: [gentoo-amd64] Re: !!! Security Violation: A file exists that is not in the manifest.
Date: Fri, 03 Mar 2006 00:53:12
Message-Id: 5bdc1c8b0603021651q5aa15c84gc42bd393cc091eaf@mail.gmail.com
In Reply to: [gentoo-amd64] Re: !!! Security Violation: A file exists that is not in the manifest. by Duncan <1i5t5.duncan@cox.net>
Redoing eix-sync a few times over the last couple of hours and now
it's cleaned up.

cheers,
Mark

On 3/2/06, Duncan <1i5t5.duncan@×××.net> wrote:
> Mark Knecht posted > <5bdc1c8b0603021524m572eedf7x18e22e51a1274d08@××××××××××.com>, excerpted > below, on Thu, 02 Mar 2006 15:24:07 -0800: > > >>>> emerge (4 of 6) sys-apps/baselayout-1.11.14-r6 to / > > !!! Security Violation: A file exists that is not in the manifest. > > !!! File: files/digest-baselayout-1.12.0_pre16-r2 > > lightning ~ # > > > > What's the proper way to take care of this? > > Depends on how paranoid you are. While it could be someone trying to > crack the Gentoo ecosystem, it's far more likely to be a simple mis-sync > -- either you or the upstream rsync server you used happened to sync at > just the wrong moment and get a modification in progress, with the file > there but the manifest not yet updated to reflect it. It could also be > due to a dev partial-syncing, with the same results. > > If you are willing to play the odds, you can just ebuild digest (see > the ebuild manpage if necessary) the thing and it'll fix the issue on your > system. If you are security conscious enough to not be comfortable doing > that (I certainly wouldn't be -- those manifests are there for a reason, > and it /could/ be a cracker trying something, even if rather unlikely), > wait a minimum 90 minutes between syncs, and try another emerge --sync. > Hopefully by then the problem will have corrected itself, or you'll get a > different sync server assigned that doesn't have the problem. > > If the issue still exists several hours later, after a resync, check the > logs and verify the servers you are syncing with, then file a bug on > either the rsync server or baselayout, as it's something that needs fixed, > still most likely a dev accident, but getting more likely it's a real > security issue. > > That assumes nothing irregular at your end, like you added that subdir in > your rsync-excludes file or something, but then again, if you'd done that, > you'd likely know that was the reason without asking. That would be a bit > hard to do by accident. =8^) > > -- > Duncan - List replies preferred. No HTML msgs. > "Every nonfree program has a lord, a master -- > and if you use the program, he is your master." Richard Stallman in > http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html > > > -- > gentoo-amd64@g.o mailing list > >
-- gentoo-amd64@g.o mailing list