1 |
On Thu, 20 Mar 2008, Russell Valentine wrote: |
2 |
|
3 |
> Mansour Moufid wrote: |
4 |
>> An attacker would need to be able to manipulate both the rsync server |
5 |
>> and the actual downloaded packages since Portage verifies checksums |
6 |
>> (RMD160, SHA1, SHA256, size). This is possible, as you mentioned, |
7 |
>> using DNS spoofing. |
8 |
> |
9 |
> I don't think this is exactly true, since when I do a emerge --rsync I also |
10 |
> get patches, which can get applied. It could also download a different |
11 |
> package without a second DNS spoof. Someone could change what it is trying |
12 |
> to download (SRC_URI), it fails to find it in the package mirrors and |
13 |
> downloads the package from a malicious site. |
14 |
> |
15 |
|
16 |
Hi all, |
17 |
|
18 |
indeed the patches are MD5-checked against the Manifest files in the |
19 |
portage tree itself, so i can't assure any integrity on the patches that |
20 |
rely in the portage tree, in the case my rsync server is compromised or |
21 |
spoofed. |
22 |
|
23 |
There is no point in enforcing cryptography on the transport layer, |
24 |
since this would prevent from making one's own local mirror like |
25 |
described in : |
26 |
http://www.gentoo.org/doc/en/rsync.xml#doc_chap2 |
27 |
|
28 |
Since the Gentoo main rsync mirrors list will change sometimes, it's |
29 |
also difficult (but still feasible) to maintain a secured transport with |
30 |
each of the main mirrors, with /etc/hosts, netfilter, or whatever that |
31 |
is IP-based. And that does not protect from the remote server |
32 |
compromise. |
33 |
|
34 |
The integrity check is currently being implemented at the data level, |
35 |
not the host level, through the way of GPG signatures of Manifest files: |
36 |
http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6 |
37 |
|
38 |
As for today, 2483 Manifest files are signed, and 10065 are not. |
39 |
Obviously, the most used packages are often those which are signed. |
40 |
You also have to manually download the GPG public keys and trust them if |
41 |
you want. |
42 |
|
43 |
-- |
44 |
Raphael Marichez aka Falco |
45 |
Gentoo Linux Security Team |