Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: "Butterworth, John W." <jbutterworth@...>
From: shimi <shimi@...>
Subject: Re: portage/rsync question
Date: Wed, 7 Apr 2010 00:06:47 +0300
<div dir="ltr"><br><div class="gmail_quote">On Tue, Apr 6, 2010 at 11:45 PM, Butterworth, John W. <span dir="ltr">&lt;<a href="mailto:jbutterworth@...">jbutterworth@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">









<div link="blue" vlink="purple" lang="EN-US">

<div>

<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">Thank you Shimi.  </span></p>

<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">I also came across a couple threads in my research:</span></p>

<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"><a href="http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/" target="_blank">http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/</a> 
and</span></p>

<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"><a href="http://thread.gmane.org/gmane.linux.gentoo.devel/38363" target="_blank">http://thread.gmane.org/gmane.linux.gentoo.devel/38363</a></span></p>


<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>

<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">These (from back in 2006/2008) discuss potential changes  to
make the Gentoo software distribution system more secure.   Does Portage verify
various different hash signatures on the source files as a result of these
recommendations or is this something Portage has always done?  Does anyone know
if anything (else) ever came of these proposals? </span></p>

<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p></div></div></blockquote><div><br>This is with regards to signing; Signing also promises you that the file at Gnetoo&#39;s main distribution is intact, otherwise the signing won&#39;t be valid. Verifying files integrity by hashes is unrelated; Of course, when you do sign your releases, you have to sign all the relevant stuff, including the hashes of the files, so everyone can verify that *nothing* was tempered. But I was merely talking about verifying that the downloaded file matches what the developer who added the package had on his computer (assuming, again, that you&#39;re syncing from a reliable source, and that this reliable source who is syncing from gentoo&#39;s main tree, is syncing from a non compromised tree, AND that no one MITM&#39;d it - which is difficult to achieve when rsync traffic is not SSL with verifiable certs AND the packages themselves not signed with PGP etc...)<br>
<br>Anyways, the existence of hashes for the files, if memory serves me right, has been there before I started using Gentoo, which dates back to the end of 2003... the hash algorithms has changed over time, but that&#39;s no biggie - you can look at the Manifest file I gave as example - you just have the hash there along with the algorithm that needs to verify it (and there&#39;s more than one...)<br>
<br>Sorry but I don&#39;t know about the status of actual Signing in Gentoo which is probably handled by the security people... I am merely an old user :)<br><br>HTH,<br><br>-- Shimi<br></div></div><br></div>
References:
portage/rsync question
-- Butterworth, John W.
Re: portage/rsync question
-- shimi
RE: portage/rsync question
-- Butterworth, John W.
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
RE: portage/rsync question
Next by thread:
Re: portage/rsync question
Previous by date:
RE: portage/rsync question
Next by date:
Re: portage/rsync question


Updated May 10, 2012

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.