Gentoo Logo

About | Projects | Docs | Forums | Lists | Bugs | Get Gentoo! | Support | Planet | Wiki

Gentoo Spaceship
Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "J Holder" <trs-gml@...>
Subject: Re: Thoughts on Package Security
Date: Wed, 18 Feb 2004 11:20:11 -0600 (CST) 
Ed Grimm said:
> On Tue, 17 Feb 2004, Brian Klauss wrote:
>
>> What I don't understand then is the problem with security of ebuilds.
>> If we can validate that the MD5 hash is consistent with the published
>> hash, then the package would be considered secure and case is
>> effectively closed?
>> Right?
>
> And how do you know the published hash?  Are there not entities in the
> datastream that could alter both the file you download and the MD5 that
> you download?  Especially if, as I think I've seen, emerge gets the MD5
> hash from the same source as it gets the source packages.  However, even
> in the case of multiple mirrors, either the primary FTP server could've
> been cracked, or the datastream could be hijacked at the local ISP,
> inserting an altered datasream for each file.
>
> Using a PGP/GPG signature would reduce the questions of trust down to
> 'do we trust the gentoo devs', 'do we trust PGP', and 'do we trust the
> PGP signature'.  Right now, we're also having to trust the primary FTP
> server, our local mirror, and all the net in between them and us,
> including our ISP, as they're all placed such that they could substitute
> alternate versions of both files, and we'd be none the wiser.  Some
> people believe that is perfectly acceptable.  Others do not.
>
> One could use an X509 sig instead of a PGP sig, although my impression
> is that fewer people are familiar with those.  On the other hand, they
> do have a more refined chain of trust (at least, if you go with an
> existing CA rather than your own.)

I tend to agree with this point.  So far extreme vigilance on the part of
the gentoo admins protected us from a potential problem when there was
previously a breakin.  But in the long run, PGP or some similar
alternative would be a whole lot safer.

The really big issue is getting that kind of infrastructure in place.  Do
we have each gentoo dev sign the files he/she is responsible for?  I think
we can dismiss the possibility of using one key to sign everything.  Maybe
a key for each software group would be feasible?


--
gentoo-security@g.o mailing list
Replies:
Re: Thoughts on Package Security
-- Andrew Jaquith
References:
Thoughts on Package Security
-- Brian Klauss
Re: Thoughts on Package Security
-- guerrilla_thought
Re: Thoughts on Package Security
-- Heikki Levanto
Re: Thoughts on Package Security
-- Brian Klauss
Re: Thoughts on Package Security
-- Ed Grimm
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Thoughts on Package Security
Next by thread:
Re: Thoughts on Package Security
Previous by date:
Re: Thoughts on Package Security
Next by date:
Re: Thoughts on Package Security


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.