Gentoo Archives: gentoo-security

From: Robert Buchholz <rbu@g.o>
To: gentoo-security@l.g.o
Cc: Florian Philipp <lists@××××××××××××××××××.net>
Subject: Re: [gentoo-security] Portage rsync security
Date: Thu, 20 Mar 2008 13:08:48
Message-Id: 200803201407.40543.rbu@gentoo.org
In Reply to: [gentoo-security] Portage rsync security by Florian Philipp
On Thursday 20 March 2008, Florian Philipp wrote:
> Hi list! > > Am I right that there is currently no way portage tries to verify > that the rsync-mirror is not spoofed? > > Doesn't that pose a major threat? If I were able to manipulate the > domain name resolution, I could easily trick gentooers into making > false updates and thus executing a malicious program with > root-permission on their machine. > > > So, why isn't there some kind of public key authentication going on, > at least optionally? > > By the way: How does gentoo's gpg-feature work. The man-page doesn't > contain an explanation.
As Mansour already pointed out, the only check Portage currently does is comparing checksums from the Manifest in your tree (rsync delivered) against the files in the tree (also rsync, will be executed as root) and those downloaded from SRC_URI (usually distfiles). The only way to secure this is to employ signing at the very source (CVS, core gentoo infra) and then check it on the user side. If you want to do this right now, you can change your tree syncing to manually download the gpg-signed portage-latest.tar.bz2 tree snapshots from your local distfiles mirror and check them. If you want to know more details on the plans we have to implement signing via rsync, please read, and feel free to comment on: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/ Regards, Robert

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-security] Portage rsync security Matthias Geerdsen <vorlon@g.o>