Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: shimi <shimi@...>, "gentoo-security@g.o" <gentoo-security@g.o>
From: "Butterworth, John W." <jbutterworth@...>
Subject: RE: portage/rsync question
Date: Tue, 6 Apr 2010 16:45:52 -0400
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p
	{mso-style-priority:99;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thank you Shimi.  <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I also came across a couple threads in my research:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a
href="http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/">http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/</a> 
and<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a href="http://thread.gmane.org/gmane.linux.gentoo.devel/38363">http://thread.gmane.org/gmane.linux.gentoo.devel/38363</a><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>These (from back in 2006/2008) discuss potential changes  to
make the Gentoo software distribution system more secure.   Does Portage verify
various different hash signatures on the source files as a result of these
recommendations or is this something Portage has always done?  Does anyone know
if anything (else) ever came of these proposals? <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’m new to the Gentoo community and am playing catch-up in regards
to what’s going on.  Thank you. <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>-John<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> shimi [mailto:shimi@...] <br>
<b>Sent:</b> Tuesday, April 06, 2010 4:27 PM<br>
<b>To:</b> gentoo-security@g.o<br>
<b>Cc:</b> Butterworth, John W.<br>
<b>Subject:</b> Re: [gentoo-security] portage/rsync question<o:p></o:p></span></p>

</div>

<p class=MsoNormal style='margin-left:.5in'><o:p>&nbsp;</o:p></p>

<div>

<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
12.0pt;margin-left:.5in'><o:p>&nbsp;</o:p></p>

<div>

<p class=MsoNormal style='margin-left:.5in'>On Tue, Apr 6, 2010 at 10:26 PM,
Butterworth, John W. &lt;<a href="mailto:jbutterworth@...">jbutterworth@...</a>&gt;
wrote:<o:p></o:p></p>

<div>

<div>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'>Hi.&nbsp; I have a security-related question for
Portage/rsync: <o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'>&nbsp;<o:p></o:p></p>

<p style='margin-left:.5in'>If someone makes a change to a copy of a program
(say a backdoor added to apache) hosted on a public mirror, will the sync’ing
between the public mirror and the main rotation mirror determine that it's
corrupted (via 'bad' checksum) on the public-mirror side and replace it? <o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'>&nbsp;<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'><o:p>&nbsp;</o:p></p>

</div>

</div>

<div>

<p class=MsoNormal style='margin-left:.5in'>If it's hosted @ Gentoo, if the
main server is intact, the next sync will overwrite the mirror-local copy<br>
<br>
If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated (and I
understand that's the scenario you refer to)<br>
<br>
Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a
cracker changing stuff at <a href="http://apache.org">apache.org</a>), when you
try to *emerge* the package, emerge will fail because Portage verifies various
different hash signatures on the source files - which are embedded in the
portage package tree [1].<br>
<br>
HTH,<br>
<br>
-- Shimi<br>
<br>
[1] Try: cat /usr/portage/www-servers/apache/Manifest<br>
<br>
&nbsp;<o:p></o:p></p>

</div>

</div>

<p class=MsoNormal style='margin-left:.5in'><o:p>&nbsp;</o:p></p>

</div>

</div>

</body>

</html>
Attachment:
smime.p7s (S/MIME cryptographic signature)
Replies:
Re: portage/rsync question
-- shimi
References:
portage/rsync question
-- Butterworth, John W.
Re: portage/rsync question
-- shimi
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: portage/rsync question
Next by thread:
Re: portage/rsync question
Previous by date:
Re: portage/rsync question
Next by date:
Re: portage/rsync question


Updated Oct 31, 2011

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.