| 1 |
* John Nilsson <john@×××××××.nu> [2004-03-25 09:24:37 +0100]: |
| 2 |
> If a patch is signed, with a good signature, does that mean that the |
| 3 |
> signers has audited the patch for security holes? |
| 4 |
> |
| 5 |
> What is to say that the source compiled with an ebuild is not |
| 6 |
> compromised? |
| 7 |
|
| 8 |
These are the two situations that worry _me_ the most: |
| 9 |
|
| 10 |
1. A package source code is compromised at the main distribution |
| 11 |
site (or one of it's mirrors). |
| 12 |
|
| 13 |
This has happened in the past and if I remember correctly, |
| 14 |
Gentoo linux was able to discover at least one such trojan. |
| 15 |
The source code had been tampered with, but fortunately, the |
| 16 |
ebuild digest of that package was able to notice that. This |
| 17 |
was pure luck, since if the ebuild developer had made his |
| 18 |
digest _after_ the source code had been compromised, we'd all |
| 19 |
be running trojans today (well, maybe). |
| 20 |
|
| 21 |
Having the ebuild developer _sign_ the digest wouldn't help |
| 22 |
at all. If the original author of the source code had a source |
| 23 |
code signature, then if gentoo had a mechanism to verify that, |
| 24 |
then it would have helped. |
| 25 |
|
| 26 |
2. An gentoo rsync mirror is compromised. |
| 27 |
|
| 28 |
There are loads of mirrors, and no way to know how secure each |
| 29 |
of them are. A compromised mirror may cause a lot of damage. |
| 30 |
If all ebuilds were signed, then such a security breach wouldn't |
| 31 |
be much of a threat. |
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
Eivind |
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
-- |
| 40 |
gentoo-dev@g.o mailing list |
Archives