Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Robert Buchholz <rbu@g.o>
Subject: Re: Portage rsync security
Date: Thu, 20 Mar 2008 14:07:40 +0100
On Thursday 20 March 2008, Florian Philipp wrote:
> Hi list!
>
> Am I right that there is currently no way portage tries to verify
> that the rsync-mirror is not spoofed?
>
> Doesn't that pose a major threat? If I were able to manipulate the
> domain name resolution, I could easily trick gentooers into making
> false updates and thus executing a malicious program with
> root-permission on their machine.
>
>
> So, why isn't there some kind of public key authentication going on,
> at least optionally?
>
> By the way: How does gentoo's gpg-feature work. The man-page doesn't
> contain an explanation.

As Mansour already pointed out, the only check Portage currently does is 
comparing checksums from the Manifest in your tree (rsync delivered) 
against the files in the tree (also rsync, will be executed as root) 
and those downloaded from SRC_URI (usually distfiles).

The only way to secure this is to employ signing at the very source 
(CVS, core gentoo infra) and then check it on the user side. If you 
want to do this right now, you can change your tree syncing to manually 
download the gpg-signed portage-latest.tar.bz2 tree snapshots from your 
local distfiles mirror and check them.

If you want to know more details on the plans we have to implement 
signing via rsync, please read, and feel free to comment on:
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/

Regards,
Robert

Attachment:
signature.asc (This is a digitally signed message part.)
Replies:
Re: Portage rsync security
-- Matthias Geerdsen
References:
Portage rsync security
-- Florian Philipp
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Portage rsync security
Next by thread:
Re: Portage rsync security
Previous by date:
Re: Portage rsync security
Next by date:
Re: Portage rsync security


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.