1 |
On Tue, Apr 6, 2010 at 2:56 PM, Butterworth, John W. |
2 |
<jbutterworth@×××××.org> wrote: |
3 |
> If someone makes a change to a copy of a program (say a backdoor added to |
4 |
> apache) hosted on a public mirror, will the sync’ing between the public |
5 |
> mirror and the main rotation mirror determine that it's corrupted (via 'bad' |
6 |
> checksum) on the public-mirror side and replace it? |
7 |
|
8 |
Package files themselves aren't part of the Portage tree (i.e. they |
9 |
aren't hosted by the Portage mirrors). Only the ebuilds (and |
10 |
accompanying metadata files) are. Ebuilds (generally) will point to |
11 |
the package files on public websites. |
12 |
|
13 |
If an attacker has access to the package files (say at apache.org), |
14 |
then your local Portage would indeed notice the corruption. On the |
15 |
other hand, if they have access to the ebuilds and Manifest files of |
16 |
the mirror you rsync to, Portage checks protect against nothing. At |
17 |
that point, unless the attacker also controls the mirror server's |
18 |
syncing with the main Gentoo tree, then yes, any malicious changes |
19 |
would be overwritten during its next sync. That's not something to |
20 |
count on. |
21 |
|
22 |
-- |
23 |
Mansour Moufid |