Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: "gentoo-security@g.o" <gentoo-security@g.o>
From: "Butterworth, John W." <jbutterworth@...>
Subject: RE: portage/rsync question
Date: Wed, 7 Apr 2010 11:06:02 -0400
So to avoid "spamming" with 20+ Thank You emails I'll send out just one and thank you all collectively for the information provided (I hope this isn't rude - I'm not sure of proper protocol in this situation).  

I have a lot more insight now and some new ideas of where I need to look to learn more.  This is a great community and it reflects in the OS - I don't know why I waited so long to try Gentoo.(??)!
-john

-----Original Message-----
From: Mansour Moufid [mailto:mansourmoufid@...] 
Sent: Tuesday, April 06, 2010 10:15 PM
To: gentoo-security@g.o
Subject: Re: [gentoo-security] portage/rsync question

On Tue, Apr 6, 2010 at 2:56 PM, Butterworth, John W.
<jbutterworth@...> wrote:
> If someone makes a change to a copy of a program (say a backdoor added to
> apache) hosted on a public mirror, will the sync’ing between the public
> mirror and the main rotation mirror determine that it's corrupted (via 'bad'
> checksum) on the public-mirror side and replace it?

Package files themselves aren't part of the Portage tree (i.e. they
aren't hosted by the Portage mirrors). Only the ebuilds (and
accompanying metadata files) are. Ebuilds (generally) will point to
the package files on public websites.

If an attacker has access to the package files (say at apache.org),
then your local Portage would indeed notice the corruption. On the
other hand, if they have access to the ebuilds and Manifest files of
the mirror you rsync to, Portage checks protect against nothing. At
that point, unless the attacker also controls the mirror server's
syncing with the main Gentoo tree, then yes, any malicious changes
would be overwritten during its next sync. That's not something to
count on.

-- 
Mansour Moufid

Attachment:
smime.p7s (S/MIME cryptographic signature)
References:
portage/rsync question
-- Butterworth, John W.
Re: portage/rsync question
-- Mansour Moufid
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: portage/rsync question
Next by thread:
Ruxcon 2010 Final Call For Papers
Previous by date:
Re: portage/rsync question
Next by date:
Ruxcon 2010 Final Call For Papers


Updated May 10, 2012

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.