On Tue, 10 Feb 2004 shoehn@... wrote:
> On Mon, 09 Feb 2004 16:14:21 -0800
> Joby Walker <zorloc@...> wrote:
>
> [..]
>
>> They are not discussing the MD5s stored in the portage tree but the MD5s
>> that are generated and stored in the CONTENTS files
>> (/var/db/pkg/*/*/CONTENTS), which are the compiled binaries.
>
> I don't consider all these checks very useful. How can I be sure the
> files emerge downloaded are really the correct ones? I guess if
> someone would try fool me with the help of the portage system he would
> change the version of portage with a "bad" one, that would obtain the
> "bad" files from an evil server, but with correct MD5 sums. So noone
> would realize that unless the tampered copy of portage is detected.
>
> I would suggest a normal IDS and try to keep the installed program's
> integrity in place. The portage's integrity is a really hard to solve
> problem, as long as I cannot be sure that the portage binary does what
> it is supposed to do.

A simple solution to this component would be to use PGP, GPG, or X.509
crypto signatures instead of MD5 checksums.  Admittedly, you still need
to worry about how to get a valid copy of the public key to be able to
do your verifications.  But this reduces it from many acts of blind
faith to two - the first in the Gentoo team as a whole, the second on
the sig.  I'm not sure how to reduce it down to zero.

Ed

--
gentoo-security@g.o mailing list