On Wed, Feb 18, 2004 at 02:13:37AM -0500, Ed Grimm wrote:
> And how do you know the published hash? Are there not entities in the
> datastream that could alter both the file you download and the MD5 that
> you download? Especially if, as I think I've seen, emerge gets the MD5
> hash from the same source as it gets the source packages. However, even
> in the case of multiple mirrors, either the primary FTP server could've
> been cracked, or the datastream could be hijacked at the local ISP,
> inserting an altered datasream for each file.
I don't think _your_ portage gets the MD5 and package from the same source.
I don't know how the MD5 gets into the ebuild (see my last paragraph),
but I think the MD5 that gets used when you execute emerge -u xyzzy is
not collected at the same time as the source package.
I thought portage worked like this:
- get some sort of pointer to other sites from master site
- rsync portage tree from the pointed site
now, portage tree contains info about builds AND MD5 HASHES
emerge -u xyzzy:
- get source package from actual distributor, NOT GENTOO
- compare MD5 of that to MD5 hash in portage tree
- continue ebuild
So, the MD5 hash in the portage tree comes from a different server
than the source package. So, the determined attacker would have to
control considerable more than one site. If our hero doesn't
perform the sync and update close together in time, then the attacker
has to control the external network for a long time as well.
I have a separate concern. I haven't read enough to know the
process by which ebuilds get committed to the portage tree.
If the submitter of the ebuild downloads the source and generates
the MD5 hash from the package, then all an attacker has to do
to compromise all gentoo distributions that use the package is
to control the distribution site from the time when the ebuild
is created until the desired number of sites are affected. For things
like the gnu sources (for example), there are enough mirrors that
an ebuild submitter could get the source from a few different mirrors,
verify that they are all hash identical (or better yet binary
identical), then add that hash to the ebuild. For smaller, non-
mirrored packages the trust model is shakier. Does anyone know
the process by which ebuilds are committed?
email@example.com mailing list