1 |
On 03/05/15 09:49, Patrick Schleizer wrote: |
2 |
> Hi, |
3 |
> |
4 |
> I am currently working on a comparison of package managers in which |
5 |
> Portage is part of. |
6 |
> |
7 |
> https://www.whonix.org/wiki/Comparison_Of_Package_Managers |
8 |
> |
9 |
> Would you be interested to check if the current assessments are correct |
10 |
> and/or to fill the remaining gaps? |
11 |
> |
12 |
> Where the comparison table is hosted or licensing (as long as it's Libre |
13 |
> Software) doesn't matter much to me. Edits can be made by both anonymous |
14 |
> and registered users. Those need to be verified by admins before they go |
15 |
> visible by default for everyone. If you like to have an account without |
16 |
> that limitation, that is also possible. |
17 |
> |
18 |
> Cheers, |
19 |
> Patrick |
20 |
> |
21 |
> |
22 |
|
23 |
Looking at the table, it appears to be unaware of using |
24 |
FEATURES=webrsync-gpg instead of standard rsync. We offer a full copy |
25 |
of the repo which is compressed and gpg signed which would seem to |
26 |
mitigate a lot of the attacks in your table. Not that I nessesarily |
27 |
agree that some of them even qualify as attacks, but webrsync-gpg would |
28 |
appear to mitigate attacks 3, 11, and 12. |
29 |
|
30 |
Attack 7 is possible, but the user would know since emerge tells you |
31 |
every time it is run how long it has been since a successful update |
32 |
based on a timestamp in the portage tree which for webrsync-gpg the |
33 |
attacker cannot modify. |
34 |
|
35 |
Attack 14 is not possible in gentoo as emerge will jump from mirror to |
36 |
mirror until it successfully gets the desired file. One would have to |
37 |
own all the mirrors (or at least hijack dns) to stop the user from |
38 |
getting a file, but at that point it's no longer a malicious mirror attack. |
39 |
|
40 |
I used the footnote numbers to reference the attacks. |
41 |
|
42 |
-Zero |