List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Thursday 20 March 2008, Florian Philipp wrote:
> Hi list!
> Am I right that there is currently no way portage tries to verify
> that the rsync-mirror is not spoofed?
> Doesn't that pose a major threat? If I were able to manipulate the
> domain name resolution, I could easily trick gentooers into making
> false updates and thus executing a malicious program with
> root-permission on their machine.
> So, why isn't there some kind of public key authentication going on,
> at least optionally?
> By the way: How does gentoo's gpg-feature work. The man-page doesn't
> contain an explanation.
As Mansour already pointed out, the only check Portage currently does is
comparing checksums from the Manifest in your tree (rsync delivered)
against the files in the tree (also rsync, will be executed as root)
and those downloaded from SRC_URI (usually distfiles).
The only way to secure this is to employ signing at the very source
(CVS, core gentoo infra) and then check it on the user side. If you
want to do this right now, you can change your tree syncing to manually
download the gpg-signed portage-latest.tar.bz2 tree snapshots from your
local distfiles mirror and check them.
If you want to know more details on the plans we have to implement
signing via rsync, please read, and feel free to comment on:
signature.asc (This is a digitally signed message part.)