1 |
Peter Simons wrote: |
2 |
> (1) Run "find /usr/portage -type f | xargs sha1sum -b" on |
3 |
> the Gentoo main system. |
4 |
> |
5 |
> (2) Sign the output with GPG. |
6 |
> |
7 |
> (3) Put it into the portage tree. |
8 |
> |
9 |
> (4) If the user has GPG installed and has manually put the |
10 |
> appropriate public key in some place _outside_ of the |
11 |
> portage tree, have "emerge sync" verify that the |
12 |
> signature is intact and all hashes hold. |
13 |
> |
14 |
> (5) Missing files in the tree are okay (rsync_excludes), |
15 |
> files in the tree which do not have a hash are not okay. |
16 |
|
17 |
This is a good start, but I have some thoughts. |
18 |
|
19 |
Let's see the attack tree against Gentoo portage. The attacker wants to |
20 |
inject malicious code into the tree, he has several choices now: |
21 |
|
22 |
1) Attack the end user's machine |
23 |
|
24 |
2) Attack the connection between the end user and the Portage mirror |
25 |
|
26 |
3) Attack the mirror machine |
27 |
|
28 |
4) Attack the connection between the main site and the mirror |
29 |
|
30 |
5) Attack the main site |
31 |
|
32 |
6) Attack the connection between the developer and the main site |
33 |
|
34 |
7) Attack the developer's machine |
35 |
|
36 |
Your algorithm eliminates the risc in leafs from 2 to 4. |
37 |
|
38 |
How about this: the developers have to sign the files they upload, but |
39 |
do this before they upload them,? This would eliminate leafs 5 and 6, too. |
40 |
|
41 |
|
42 |
/Ervin |
43 |
|
44 |
-- |
45 |
gentoo-security@g.o mailing list |