Gentoo Logo

About | Projects | Docs | Forums | Lists | Bugs | Get Gentoo! | Support | Planet | Wiki

Gentoo Spaceship
Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: Chris Frey <cdfrey@...>
From: Marc Ballarin <Ballarin.Marc@...>
Subject: Re: Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2)
Date: Sun, 7 Nov 2004 19:04:42 +0000 
On Sun, 7 Nov 2004 12:01:35 -0500
Chris Frey <cdfrey@...> wrote:

> You don't.  But that's like saying there's no point in closing the front
> door since the bedroom window might be open.  If the front door is
> closed and locked, then at least we can pay more attention to the open
> window.

But you have not achieved more security. That is the point. If a
distributor promises package integrity through signatures, they are
lying. It is like showing of the locked front door without mentioning the
open bedroom window.

OTOH: If you are responsible for the front door's security, you should
close it, of course. This is why Gentoo *should* use signatures.
However, it is wrong to excpect or even promise a great improvement in
security through this measure.

> 
> Plus, the glibc ebuild maintainer should be tracking the changes.  He
> knows what's going on in glibc land, he knows the build process, he
> should be in touch with the main developers, and he should be reading
> the diffs.

This might work for glibc (Don't know, really.). But it certainly won't
work for many other packages. All the developer can do here is trust the
guy at the bedroom window - just to stay with that example.

> 
> If he doesn't have the time or skill to do that, he can at least compare
> against the work of people who do, such as the source packages of Debian
> or Fedora Core.  It is pretty easy to do a diff.

And Debian will compare against Gentoo, while Redhat compares gainst Suse,
who in turn...

My point being: Manipulations can be subtle, escpecially if they are
carefully planned. Many eys are necessary to spot them. Manipulations at a
low-level (a projects CVS-server) could easily propagate to many distros.
So it comes down to either check for yourself or trust the upstream
developers and their signatures and checksums.

If you use signatures to verify a package, you have to understand exactly
what guarantees are given.

This is exactly one thing: 
The package or ebuild is identical to the version the Gentoo developer
signed, provided that his workstation has not been compromised.

Nothing else is guaranteed.

The reason signing still makes sense is numbers and probability. There are
only few developer machines, they are mostly unknown to attackers and are
hopefully not used as servers.

rsync mirrors, otoh,  are many, well known and constantly exposed to the
internet.

Regards

--
gentoo-security@g.o mailing list
Replies:
Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2)
-- Peter Simons
References:
Trojan for Gentoo, part 2
-- Alexander Holler
Is anybody else worried about this? (was: Trojan for Gentoo, part 2)
-- Peter Simons
Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2)
-- Kurt Lieber
Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2)
-- Chris Frey
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2)
Next by thread:
Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2)
Previous by date:
Re: Is anybody else worried about this?
Next by date:
Re: Is anybody else worried about this? (was: Trojan for Gentoo, part 2)


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.