Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
<div dir="ltr"><br><br><div class="gmail_quote">On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <span dir="ltr"><<a href="mailto:jbutterworth@...">jbutterworth@...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal">Hi. I have a security-related question for Portage/rsync:
</p>
<p class="MsoNormal"> </p>
<p>If someone makes a change to a copy of a program (say a
backdoor added to apache) hosted on a public mirror, will the sync’ing
between the public mirror and the main rotation mirror determine that it's
corrupted (via 'bad' checksum) on the public-mirror side and replace it? </p>
<p class="MsoNormal"> </p><p class="MsoNormal"><br></p></div></div></blockquote><div>If it's hosted @ Gentoo, if the main server is intact, the next sync
will overwrite the mirror-local copy<br><br>If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated (and I understand that's the scenario you refer to)<br><br>Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a cracker changing stuff at <a href="http://apache.org">apache.org</a>), when you try to *emerge* the package, emerge will fail because Portage verifies various different hash signatures on the source files - which are embedded in the portage package tree [1].<br>
<br>HTH,<br><br>-- Shimi<br><br>[1] Try: cat /usr/portage/www-servers/apache/Manifest<br><br> <br></div></div><br></div>
|
|
