1 |
On Tue, Dec 02, 2008 at 07:46:13PM +0200, Tambet wrote: |
2 |
> Has anyone ever noticed that portage tree contains a lot of md5 hashes, |
3 |
> which are not at all important for using it? I think that it does not make |
4 |
> reliability or functionality smaller any bit if those would all stay in sync |
5 |
> servers - anyway, syncing would go much faster and this tree smaller. What |
6 |
> about removing all those md5 hashes and downloading them only when they're |
7 |
> needed? |
8 |
Umm, what are you on? There are no more MD5s in Manifest2. It should be |
9 |
only RMD160, SHA1, SHA256. If you DO find a Manifest with an MD5, I'd |
10 |
REALLY like to know about it. |
11 |
|
12 |
As for the important of Manifests and the hashes, I'd like to offer the |
13 |
following as suggested reading: |
14 |
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
15 |
Specifically, see the papers page, and find the paper from CCS 2008 [1]. |
16 |
He DID solicit input from me on how Gentoo deals with the issue, and |
17 |
gave it fair coverage in my opinion. It's CRITICALLY important that the |
18 |
checksums go with the content, and that the checksums are later verified |
19 |
themselves against a known up to date source. |
20 |
|
21 |
If you're interested in the Gentoo side of it, specifically how it ties |
22 |
into tree-signing, read my gleps: |
23 |
http://www.gentoo.org/proj/en/glep/glep-0057.html |
24 |
http://www.gentoo.org/proj/en/glep/glep-0058.html |
25 |
http://www.gentoo.org/proj/en/glep/glep-0059.html |
26 |
http://www.gentoo.org/proj/en/glep/glep-0060.html |
27 |
http://www.gentoo.org/proj/en/glep/glep-0061.html |
28 |
|
29 |
[1] Cappos, J. et al. "A Look In the Mirror: Attacks on Package |
30 |
Managers". (2008). Published in the proceedings of ACM CCS 2008. |
31 |
|
32 |
-- |
33 |
Robin Hugh Johnson |
34 |
Gentoo Linux Developer & Infra Guy |
35 |
E-Mail : robbat2@g.o |
36 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |