Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-portage-dev

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-portage-dev@l.g.o
Subject: Re: [gentoo-portage-dev] About boosting sync
Date: Wed, 03 Dec 2008 04:37:21
Message-Id: 20081203031958.GE28859@curie-int.orbis-terrarum.net
In Reply to: [gentoo-portage-dev] About boosting sync by Tambet
1 On Tue, Dec 02, 2008 at 07:46:13PM +0200, Tambet wrote:
2 > Has anyone ever noticed that portage tree contains a lot of md5 hashes,
3 > which are not at all important for using it? I think that it does not make
4 > reliability or functionality smaller any bit if those would all stay in sync
5 > servers - anyway, syncing would go much faster and this tree smaller. What
6 > about removing all those md5 hashes and downloading them only when they're
7 > needed?
8 Umm, what are you on? There are no more MD5s in Manifest2. It should be
9 only RMD160, SHA1, SHA256. If you DO find a Manifest with an MD5, I'd
10 REALLY like to know about it.
11
12 As for the important of Manifests and the hashes, I'd like to offer the
13 following as suggested reading:
14 http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
15 Specifically, see the papers page, and find the paper from CCS 2008 [1].
16 He DID solicit input from me on how Gentoo deals with the issue, and
17 gave it fair coverage in my opinion. It's CRITICALLY important that the
18 checksums go with the content, and that the checksums are later verified
19 themselves against a known up to date source.
20
21 If you're interested in the Gentoo side of it, specifically how it ties
22 into tree-signing, read my gleps:
23 http://www.gentoo.org/proj/en/glep/glep-0057.html
24 http://www.gentoo.org/proj/en/glep/glep-0058.html
25 http://www.gentoo.org/proj/en/glep/glep-0059.html
26 http://www.gentoo.org/proj/en/glep/glep-0060.html
27 http://www.gentoo.org/proj/en/glep/glep-0061.html
28
29 [1] Cappos, J. et al. "A Look In the Mirror: Attacks on Package
30 Managers". (2008). Published in the proceedings of ACM CCS 2008.
31
32 --
33 Robin Hugh Johnson
34 Gentoo Linux Developer & Infra Guy
35 E-Mail : robbat2@g.o
36 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
Report Message
Find on MARC Find on Google Groups