List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Mansour Moufid wrote:
> An attacker would need to be able to manipulate both the rsync server
> and the actual downloaded packages since Portage verifies checksums
> (RMD160, SHA1, SHA256, size). This is possible, as you mentioned,
> using DNS spoofing.
I don't think this is exactly true, since when I do a emerge --rsync I
also get patches, which can get applied. It could also download a
different package without a second DNS spoof. Someone could change what
it is trying to download (SRC_URI), it fails to find it in the package
mirrors and downloads the package from a malicious site.
email@example.com mailing list