Gentoo Archives: gentoo-security

From: shimi <shimi@×××××.net>
To: "Butterworth, John W." <jbutterworth@×××××.org>
Cc: "gentoo-security@l.g.o" <gentoo-security@l.g.o>
Subject: Re: [gentoo-security] portage/rsync question
Date: Tue, 06 Apr 2010 21:20:58
Message-Id: w2t9eba290f1004061406r60e02ec0k33355502d3454fb9@mail.gmail.com
In Reply to: RE: [gentoo-security] portage/rsync question by "Butterworth
On Tue, Apr 6, 2010 at 11:45 PM, Butterworth, John W. <
jbutterworth@×××××.org> wrote:

> Thank you Shimi. > > I also came across a couple threads in my research: > > > http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/ > and > > http://thread.gmane.org/gmane.linux.gentoo.devel/38363 > > > > These (from back in 2006/2008) discuss potential changes to make the > Gentoo software distribution system more secure. Does Portage verify > various different hash signatures on the source files as a result of these > recommendations or is this something Portage has always done? Does anyone > know if anything (else) ever came of these proposals? > > >
This is with regards to signing; Signing also promises you that the file at Gnetoo's main distribution is intact, otherwise the signing won't be valid. Verifying files integrity by hashes is unrelated; Of course, when you do sign your releases, you have to sign all the relevant stuff, including the hashes of the files, so everyone can verify that *nothing* was tempered. But I was merely talking about verifying that the downloaded file matches what the developer who added the package had on his computer (assuming, again, that you're syncing from a reliable source, and that this reliable source who is syncing from gentoo's main tree, is syncing from a non compromised tree, AND that no one MITM'd it - which is difficult to achieve when rsync traffic is not SSL with verifiable certs AND the packages themselves not signed with PGP etc...) Anyways, the existence of hashes for the files, if memory serves me right, has been there before I started using Gentoo, which dates back to the end of 2003... the hash algorithms has changed over time, but that's no biggie - you can look at the Manifest file I gave as example - you just have the hash there along with the algorithm that needs to verify it (and there's more than one...) Sorry but I don't know about the status of actual Signing in Gentoo which is probably handled by the security people... I am merely an old user :) HTH, -- Shimi