1 |
* John Nilsson <john@×××××××.nu> [2004-03-25 09:24:37 +0100]: |
2 |
> If a patch is signed, with a good signature, does that mean that the |
3 |
> signers has audited the patch for security holes? |
4 |
> |
5 |
> What is to say that the source compiled with an ebuild is not |
6 |
> compromised? |
7 |
|
8 |
These are the two situations that worry _me_ the most: |
9 |
|
10 |
1. A package source code is compromised at the main distribution |
11 |
site (or one of it's mirrors). |
12 |
|
13 |
This has happened in the past and if I remember correctly, |
14 |
Gentoo linux was able to discover at least one such trojan. |
15 |
The source code had been tampered with, but fortunately, the |
16 |
ebuild digest of that package was able to notice that. This |
17 |
was pure luck, since if the ebuild developer had made his |
18 |
digest _after_ the source code had been compromised, we'd all |
19 |
be running trojans today (well, maybe). |
20 |
|
21 |
Having the ebuild developer _sign_ the digest wouldn't help |
22 |
at all. If the original author of the source code had a source |
23 |
code signature, then if gentoo had a mechanism to verify that, |
24 |
then it would have helped. |
25 |
|
26 |
2. An gentoo rsync mirror is compromised. |
27 |
|
28 |
There are loads of mirrors, and no way to know how secure each |
29 |
of them are. A compromised mirror may cause a lot of damage. |
30 |
If all ebuilds were signed, then such a security breach wouldn't |
31 |
be much of a threat. |
32 |
|
33 |
|
34 |
|
35 |
Eivind |
36 |
|
37 |
|
38 |
|
39 |
-- |
40 |
gentoo-dev@g.o mailing list |