1 |
Mansour Moufid wrote: |
2 |
> An attacker would need to be able to manipulate both the rsync server |
3 |
> and the actual downloaded packages since Portage verifies checksums |
4 |
> (RMD160, SHA1, SHA256, size). This is possible, as you mentioned, |
5 |
> using DNS spoofing. |
6 |
> |
7 |
|
8 |
I don't think this is exactly true, since when I do a emerge --rsync I |
9 |
also get patches, which can get applied. It could also download a |
10 |
different package without a second DNS spoof. Someone could change what |
11 |
it is trying to download (SRC_URI), it fails to find it in the package |
12 |
mirrors and downloads the package from a malicious site. |
13 |
|
14 |
|
15 |
Russell Valentine |
16 |
-- |
17 |
gentoo-security@l.g.o mailing list |