Gentoo Archives: gentoo-security

From: "Butterworth
To: shimi <shimi@×××××.net>, "gentoo-security@l.g.o" <gentoo-security@l.g.o>
Subject: RE: [gentoo-security] portage/rsync question
Date: Tue, 06 Apr 2010 21:16:36
Message-Id: 8622C222D2FC9D499533B1EEF631D39303331FA631@IMCMBX1.MITRE.ORG
In Reply to: Re: [gentoo-security] portage/rsync question by shimi
Thank you Shimi.  

I also came across a couple threads in my research:

http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/  and

http://thread.gmane.org/gmane.linux.gentoo.devel/38363

 

These (from back in 2006/2008) discuss potential changes  to make the Gentoo software distribution system more secure.   Does Portage verify various different hash signatures on the source files as a result of these recommendations or is this something Portage has always done?  Does anyone know if anything (else) ever came of these proposals? 

 

I’m new to the Gentoo community and am playing catch-up in regards to what’s going on.  Thank you. 

-John

 

From: shimi [mailto:shimi@×××××.net] 
Sent: Tuesday, April 06, 2010 4:27 PM
To: gentoo-security@l.g.o
Cc: Butterworth, John W.
Subject: Re: [gentoo-security] portage/rsync question

 

 

On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <jbutterworth@×××××.org> wrote:

Hi.  I have a security-related question for Portage/rsync: 

 

If someone makes a change to a copy of a program (say a backdoor added to apache) hosted on a public mirror, will the sync’ing between the public mirror and the main rotation mirror determine that it's corrupted (via 'bad' checksum) on the public-mirror side and replace it? 

 

 

If it's hosted @ Gentoo, if the main server is intact, the next sync will overwrite the mirror-local copy

If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated (and I understand that's the scenario you refer to)

Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a cracker changing stuff at apache.org), when you try to *emerge* the package, emerge will fail because Portage verifies various different hash signatures on the source files - which are embedded in the portage package tree [1].

HTH,

-- Shimi

[1] Try: cat /usr/portage/www-servers/apache/Manifest

Attachments

File name MIME type
smime.p7s application/x-pkcs7-signature

Replies

Subject Author
Re: [gentoo-security] portage/rsync question shimi <shimi@×××××.net>