List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Brian G Peterson writes:
> I assume that you intend to 'blow the whistle' because
> you are incapable or unwilling to submit a patch for the
> issue yourself?
If you read the recent messages carefully, you'll find that
I have tried _numerous_ times to provide details how to
remedy the situation.
> I agree that there is a lot of room for improvement in
> the portage security system.
Then why don't we stop discussing what I know or don't know,
do or won't do, and talk about a solution? The vast majority
of text posted in this thread is concerned with all kinds of
things BUT finding a good, technical solution to a
vulnerability that _does_ exist.
Generating a signed hash list of all files is really not
that difficult. It would solve the problem in a matter of
hours for those who are concerned about it, and it would
probably set things in motion for a better solution to be
developed that solves the problem for all users as well as
So why is the Gentoo team so incredibly reluctant to do
anything about it?
(1) Configure your main site to update the portage tree
from CVS in a time interval that's sufficient large to
allow for the hash list to be generated. Someone else
already suggested once an hour. I can't say what is
appropriate since I don't know your setup.
(2) Calculate hashes for all files in the /usr/portage
hierarchy. One could probably use a trivial Makefile to
generate hashes incrementally, even, to ease the load
on the machine.
(3) Sign the hash file with a GPG key. That means that
either someone has to enter the pass phrase manually,
or you'll have to set up a pass phrase agent, or you'll
have to use a key without a password at all.
Everything but the first solution is sub-optimal but
still a _lot_ better than what we have now. If someone
manages to compromise the main site, we all have far
greater problems than a lost secret key, so even _if_
the pass phrase is empty we still gain security.
(4) Distribute the signed hash file with the portage tree.
(5) Provide scripts that verify the integrity of the tree
after an emerge sync _before_ any other code is run
that has been obtained from the network.
(6) Make the matching public key available on the key
servers, on the web site, and every other place that
you can think about. Give an expiry date of, say 3
months to make clear that this is an intermediate
solution that will change.
(7) Get as many people to sign the key as possible to
properly authenticate it.
(8) Write a security advisory that educates the users about
email@example.com mailing list