Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: shimi <shimi@...>
Subject: Re: portage/rsync question
Date: Tue, 6 Apr 2010 23:26:42 +0300
<div dir="ltr"><br><br><div class="gmail_quote">On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <span dir="ltr">&lt;<a href="mailto:jbutterworth@...">jbutterworth@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">









<div link="blue" vlink="purple" lang="EN-US">

<div>

<p class="MsoNormal">Hi.  I have a security-related question for Portage/rsync:
</p>

<p class="MsoNormal"> </p>

<p>If someone makes a change to a copy of a program (say a
backdoor added to apache) hosted on a public mirror, will the sync’ing
between the public mirror and the main rotation mirror determine that it&#39;s
corrupted (via &#39;bad&#39; checksum) on the public-mirror side and replace it? </p>

<p class="MsoNormal"> </p><p class="MsoNormal"><br></p></div></div></blockquote><div>If it&#39;s hosted @ Gentoo, if the main server is intact, the next sync 
will overwrite the mirror-local copy<br><br>If it&#39;s not hosted on on Gentoo&#39;s mirror, Gentoo&#39;s sync&#39;ing is unrelated (and I understand that&#39;s the scenario you refer to)<br><br>Anyways, unless the *ebuild* was *also* poisoned (which can&#39;t happen by a cracker changing stuff at <a href="http://apache.org">apache.org</a>), when you try to *emerge* the package, emerge will fail because Portage verifies various different hash signatures on the source files - which are embedded in the portage package tree [1].<br>
<br>HTH,<br><br>-- Shimi<br><br>[1] Try: cat /usr/portage/www-servers/apache/Manifest<br><br> <br></div></div><br></div>
Replies:
RE: portage/rsync question
-- Butterworth, John W.
References:
portage/rsync question
-- Butterworth, John W.
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: portage/rsync question
Next by thread:
RE: portage/rsync question
Previous by date:
Re: portage/rsync question
Next by date:
RE: portage/rsync question


Updated Oct 31, 2011

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.