List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Tue, 10 Feb 2004 shoehn@... wrote:
> On Mon, 09 Feb 2004 16:14:21 -0800
> Joby Walker <zorloc@...> wrote:
>> They are not discussing the MD5s stored in the portage tree but the MD5s
>> that are generated and stored in the CONTENTS files
>> (/var/db/pkg/*/*/CONTENTS), which are the compiled binaries.
> I don't consider all these checks very useful. How can I be sure the
> files emerge downloaded are really the correct ones? I guess if
> someone would try fool me with the help of the portage system he would
> change the version of portage with a "bad" one, that would obtain the
> "bad" files from an evil server, but with correct MD5 sums. So noone
> would realize that unless the tampered copy of portage is detected.
> I would suggest a normal IDS and try to keep the installed program's
> integrity in place. The portage's integrity is a really hard to solve
> problem, as long as I cannot be sure that the portage binary does what
> it is supposed to do.
A simple solution to this component would be to use PGP, GPG, or X.509
crypto signatures instead of MD5 checksums. Admittedly, you still need
to worry about how to get a valid copy of the public key to be able to
do your verifications. But this reduces it from many acts of blind
faith to two - the first in the Gentoo team as a whole, the second on
the sig. I'm not sure how to reduce it down to zero.
firstname.lastname@example.org mailing list