Gentoo Archives: gentoo-security

From: Mansour Moufid <mansourmoufid@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] portage/rsync question
Date: Wed, 07 Apr 2010 03:04:51
Message-Id: k2i44a1f4d21004061914l3bb567d2q8ca0a4ad01ab419b@mail.gmail.com
In Reply to: [gentoo-security] portage/rsync question by "Butterworth
1 On Tue, Apr 6, 2010 at 2:56 PM, Butterworth, John W.
2 <jbutterworth@×××××.org> wrote:
3 > If someone makes a change to a copy of a program (say a backdoor added to
4 > apache) hosted on a public mirror, will the sync’ing between the public
5 > mirror and the main rotation mirror determine that it's corrupted (via 'bad'
6 > checksum) on the public-mirror side and replace it?
7
8 Package files themselves aren't part of the Portage tree (i.e. they
9 aren't hosted by the Portage mirrors). Only the ebuilds (and
10 accompanying metadata files) are. Ebuilds (generally) will point to
11 the package files on public websites.
12
13 If an attacker has access to the package files (say at apache.org),
14 then your local Portage would indeed notice the corruption. On the
15 other hand, if they have access to the ebuilds and Manifest files of
16 the mirror you rsync to, Portage checks protect against nothing. At
17 that point, unless the attacker also controls the mirror server's
18 syncing with the main Gentoo tree, then yes, any malicious changes
19 would be overwritten during its next sync. That's not something to
20 count on.
21
22 --
23 Mansour Moufid

Replies

Subject Author
RE: [gentoo-security] portage/rsync question "Butterworth