1 |
Thank you Shimi. |
2 |
|
3 |
I also came across a couple threads in my research: |
4 |
|
5 |
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/ and |
6 |
|
7 |
http://thread.gmane.org/gmane.linux.gentoo.devel/38363 |
8 |
|
9 |
|
10 |
|
11 |
These (from back in 2006/2008) discuss potential changes to make the Gentoo software distribution system more secure. Does Portage verify various different hash signatures on the source files as a result of these recommendations or is this something Portage has always done? Does anyone know if anything (else) ever came of these proposals? |
12 |
|
13 |
|
14 |
|
15 |
I’m new to the Gentoo community and am playing catch-up in regards to what’s going on. Thank you. |
16 |
|
17 |
-John |
18 |
|
19 |
|
20 |
|
21 |
From: shimi [mailto:shimi@×××××.net] |
22 |
Sent: Tuesday, April 06, 2010 4:27 PM |
23 |
To: gentoo-security@l.g.o |
24 |
Cc: Butterworth, John W. |
25 |
Subject: Re: [gentoo-security] portage/rsync question |
26 |
|
27 |
|
28 |
|
29 |
|
30 |
|
31 |
On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <jbutterworth@×××××.org> wrote: |
32 |
|
33 |
Hi. I have a security-related question for Portage/rsync: |
34 |
|
35 |
|
36 |
|
37 |
If someone makes a change to a copy of a program (say a backdoor added to apache) hosted on a public mirror, will the sync’ing between the public mirror and the main rotation mirror determine that it's corrupted (via 'bad' checksum) on the public-mirror side and replace it? |
38 |
|
39 |
|
40 |
|
41 |
|
42 |
|
43 |
If it's hosted @ Gentoo, if the main server is intact, the next sync will overwrite the mirror-local copy |
44 |
|
45 |
If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated (and I understand that's the scenario you refer to) |
46 |
|
47 |
Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a cracker changing stuff at apache.org), when you try to *emerge* the package, emerge will fail because Portage verifies various different hash signatures on the source files - which are embedded in the portage package tree [1]. |
48 |
|
49 |
HTH, |
50 |
|
51 |
-- Shimi |
52 |
|
53 |
[1] Try: cat /usr/portage/www-servers/apache/Manifest |